Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe

Overview

General Information

Sample name:1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe
Analysis ID:1564220
MD5:160c2784d173e7bb077ff0794a922488
SHA1:7ac9ad6a60cc685b24f65ba7715c2a85387eff62
SHA256:c3dcf0bb8f1a9506ec058c0b70f3335e02d3e9d83a5e3af370b917c097f191b6
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for sample
Uses dynamic DNS services
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["rxsas.duckdns.org:57870:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Disable", "Setup HKLM\\Run": "Disable", "Install path": "System32", "Copy file": "Google.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc$urG9345JRjuDjdGoH-YL3THJ", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Google", "Keylog folder": "remcos"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aaf8:$a1: Remcos restarted by watchdog!
        • 0x6b070:$a3: %02i:%02i:%02i:%03i
        1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64e04:$str_b2: Executing file:
        • 0x65c3c:$str_b3: GetDirectListeningPort
        • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65780:$str_b7: \update.vbs
        • 0x64e2c:$str_b9: Downloaded file:
        • 0x64e18:$str_b10: Downloading file:
        • 0x64ebc:$str_b12: Failed to upload file:
        • 0x65c04:$str_b13: StartForward
        • 0x65c24:$str_b14: StopForward
        • 0x656d8:$str_b15: fso.DeleteFile "
        • 0x6566c:$str_b16: On Error Resume Next
        • 0x65708:$str_b17: fso.DeleteFolder "
        • 0x64eac:$str_b18: Uploaded file:
        • 0x64e6c:$str_b19: Unable to delete:
        • 0x656a0:$str_b20: while fso.FileExists("
        • 0x65349:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.4115432387.00000000022CF000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000000.00000002.4115163169.0000000000805000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    Click to see the 10 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.0.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      0.0.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                        0.0.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                          0.0.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                          • 0x6aaf8:$a1: Remcos restarted by watchdog!
                          • 0x6b070:$a3: %02i:%02i:%02i:%03i
                          0.0.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                          • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
                          • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                          • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                          • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                          • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                          • 0x64e04:$str_b2: Executing file:
                          • 0x65c3c:$str_b3: GetDirectListeningPort
                          • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                          • 0x65780:$str_b7: \update.vbs
                          • 0x64e2c:$str_b9: Downloaded file:
                          • 0x64e18:$str_b10: Downloading file:
                          • 0x64ebc:$str_b12: Failed to upload file:
                          • 0x65c04:$str_b13: StartForward
                          • 0x65c24:$str_b14: StopForward
                          • 0x656d8:$str_b15: fso.DeleteFile "
                          • 0x6566c:$str_b16: On Error Resume Next
                          • 0x65708:$str_b17: fso.DeleteFolder "
                          • 0x64eac:$str_b18: Uploaded file:
                          • 0x64e6c:$str_b19: Unable to delete:
                          • 0x656a0:$str_b20: while fso.FileExists("
                          • 0x65349:$str_c0: [Firefox StoredLogins not found]
                          Click to see the 7 entries

                          Sigma Signatures

                          Stealing of Sensitive Information

                          barindex
                          Sigma detected: Remcos
                          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, ProcessId: 5924, TargetFilename: C:\ProgramData\remcos\logs.dat

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-11-27T23:59:56.770427+010020365941Malware Command and Control Activity Detected192.168.2.44973045.135.232.3857870TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2024-11-28T00:00:08.223643+010028033043Unknown Traffic192.168.2.449731178.237.33.5080TCP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeAvira: detected
                          Antivirus detection for URL or domain
                          Source: rxsas.duckdns.orgAvira URL Cloud: Label: malware
                          Found malware configuration
                          Source: 00000000.00000002.4115163169.00000000007AE000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": ["rxsas.duckdns.org:57870:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Disable", "Setup HKLM\\Run": "Disable", "Install path": "System32", "Copy file": "Google.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc$urG9345JRjuDjdGoH-YL3THJ", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Google", "Keylog folder": "remcos"}
                          Multi AV Scanner detection for submitted file
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeReversingLabs: Detection: 68%
                          Yara detected Remcos RAT
                          Source: Yara matchFile source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.4115432387.00000000022CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4115163169.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.1650875081.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4115163169.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe PID: 5924, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Machine Learning detection for sample
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_0043293A
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000000.1650875081.0000000000457000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_628f0dbd-9

                          Exploits

                          barindex
                          Yara detected UAC Bypass using CMSTP
                          Source: Yara matchFile source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.1650875081.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe PID: 5924, type: MEMORYSTR

                          Privilege Escalation

                          barindex
                          Contains functionality to bypass UAC (CMSTPLUA)
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00406764 _wcslen,CoGetObject,0_2_00406764
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B42F
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C69
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.4:49730 -> 45.135.232.38:57870
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: rxsas.duckdns.org
                          Uses dynamic DNS services
                          Source: unknownDNS query: name: rxsas.duckdns.org
                          Source: global trafficTCP traffic: 192.168.2.4:49730 -> 45.135.232.38:57870
                          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                          Source: Joe Sandbox ViewIP Address: 45.135.232.38 45.135.232.38
                          Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                          Source: Joe Sandbox ViewASN Name: ASBAXETNRU ASBAXETNRU
                          Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.4:49731 -> 178.237.33.50:80
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_004260F7 recv,0_2_004260F7
                          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                          Source: global trafficDNS traffic detected: DNS query: rxsas.duckdns.org
                          Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000003.1786279908.000000000081F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000002.4115163169.0000000000805000.00000004.00000020.00020000.00000000.sdmp, 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000003.1786279908.0000000000805000.00000004.00000020.00020000.00000000.sdmp, 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000002.4115163169.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000003.1786279908.00000000007F0000.00000004.00000020.00020000.00000000.sdmp, 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000002.4115163169.00000000007AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000002.4115163169.00000000007AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000002.4115163169.0000000000805000.00000004.00000020.00020000.00000000.sdmp, 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000003.1786279908.0000000000805000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpU
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000002.4115163169.00000000007AE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gprf(

                          Key, Mouse, Clipboard, Microphone and Screen Capturing

                          barindex
                          Contains functionality to register a low level keyboard hook
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000000_2_004099E4
                          Installs a global keyboard hook
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_00409B10
                          Source: Yara matchFile source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.1650875081.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe PID: 5924, type: MEMORYSTR

                          E-Banking Fraud

                          barindex
                          Yara detected Remcos RAT
                          Source: Yara matchFile source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.4115432387.00000000022CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4115163169.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.1650875081.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4115163169.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe PID: 5924, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                          Spam, unwanted Advertisements and Ransom Demands

                          barindex
                          Contains functionalty to change the wallpaper
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0041BB71 SystemParametersInfoW,0_2_0041BB71
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0041BB77 SystemParametersInfoW,0_2_0041BB77

                          System Summary

                          barindex
                          Malicious sample detected (through community Yara rule)
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 0.0.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 0.0.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: 0.0.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 0.2.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 0.2.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: 0.2.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 00000000.00000000.1650875081.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: Process Memory Space: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe PID: 5924, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeProcess Stats: CPU usage > 49%
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041ACC1
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,0_2_0041ACED
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004158B9
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0041D0710_2_0041D071
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_004520D20_2_004520D2
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0043D0980_2_0043D098
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_004371500_2_00437150
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_004361AA0_2_004361AA
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_004262540_2_00426254
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_004313770_2_00431377
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0043651C0_2_0043651C
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0041E5DF0_2_0041E5DF
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0044C7390_2_0044C739
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_004367C60_2_004367C6
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_004267CB0_2_004267CB
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0043C9DD0_2_0043C9DD
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00432A490_2_00432A49
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00436A8D0_2_00436A8D
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0043CC0C0_2_0043CC0C
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00436D480_2_00436D48
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00434D220_2_00434D22
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00426E730_2_00426E73
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00440E200_2_00440E20
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0043CE3B0_2_0043CE3B
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00412F450_2_00412F45
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00452F000_2_00452F00
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00426FAD0_2_00426FAD
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: String function: 00401F66 appears 50 times
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: String function: 004020E7 appears 40 times
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: String function: 004338A5 appears 42 times
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: String function: 00433FB0 appears 55 times
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 0.0.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 0.0.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: 0.0.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 0.2.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 0.2.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: 0.2.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 00000000.00000000.1650875081.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: Process Memory Space: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe PID: 5924, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/2@2/2
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00416AB7
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040E219
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041A63F
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BC4
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].jsonJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc$urG9345JRjuDjdGoH-YL3THJ
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: Software\0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: (CG0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: Exe0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: Exe0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: (CG0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: 0DG0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: Inj0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: Inj0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: HM{0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: HM{0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: HM{0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: P{0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: HM{0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: exepath0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: P{0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: exepath0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: HM{0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: licence0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: `=G0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: dCG0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: Administrator0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: User0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: del0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: del0_2_0040D767
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCommand line argument: del0_2_0040D767
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeReversingLabs: Detection: 68%
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_004567E0 push eax; ret 0_2_004567FE
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00455EAF push ecx; ret 0_2_00455EC2
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00433FF6 push ecx; ret 0_2_00434009
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00406128 ShellExecuteW,URLDownloadToFileW,0_2_00406128
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BC4
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                          Malware Analysis System Evasion

                          barindex
                          Delayed program exit found
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0040E54F Sleep,ExitProcess,0_2_0040E54F
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_004198C2
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeWindow / User API: threadDelayed 5737Jump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeWindow / User API: threadDelayed 3794Jump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeWindow / User API: foregroundWindowGot 1766Jump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe TID: 1188Thread sleep count: 216 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe TID: 1188Thread sleep time: -108000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe TID: 5448Thread sleep count: 5737 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe TID: 5448Thread sleep time: -17211000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe TID: 5448Thread sleep count: 3794 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe TID: 5448Thread sleep time: -11382000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B42F
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C69
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000003.1786279908.000000000082D000.00000004.00000020.00020000.00000000.sdmp, 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000002.4115352664.000000000082D000.00000004.00000020.00020000.00000000.sdmp, 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000002.4115163169.00000000007AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_0-47208
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A65D
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00442554 mov eax, dword ptr fs:[00000030h]0_2_00442554
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0044E92E GetProcessHeap,0_2_0044E92E
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00434168
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A65D
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00433B44
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00433CD7 SetUnhandledExceptionFilter,0_2_00433CD7
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00410F36
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00418754 mouse_event,0_2_00418754
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000002.4115163169.000000000081F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerGl
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000002.4115163169.000000000081F000.00000004.00000020.00020000.00000000.sdmp, 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000002.4115352664.0000000000824000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000002.4115352664.0000000000824000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerXE
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000003.1786279908.000000000081F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerEM
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000002.4115163169.000000000081F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000002.4115352664.0000000000824000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager]E
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000002.4115163169.00000000007AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerx
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000002.4115163169.000000000081F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managernet/
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000002.4115163169.000000000081F000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManageruS
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000002.4115163169.0000000000805000.00000004.00000020.00020000.00000000.sdmp, 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000002.4115163169.00000000007AE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                          Source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000002.4115163169.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, logs.dat.0.drBinary or memory string: [Program Manager]
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00433E0A cpuid 0_2_00433E0A
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: GetLocaleInfoA,0_2_0040E679
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_004470AE
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004510BA
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004511E3
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004512EA
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004513B7
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: GetLocaleInfoW,0_2_00447597
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00450A7F
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450CF7
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450D42
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450DDD
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00450E6A
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00404915 GetLocalTime,CreateEventA,CreateThread,0_2_00404915
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_0041A7A2 GetComputerNameExW,GetUserNameW,0_2_0041A7A2
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: 0_2_00448057 _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,0_2_00448057
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                          Stealing of Sensitive Information

                          barindex
                          Yara detected Remcos RAT
                          Source: Yara matchFile source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.4115432387.00000000022CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4115163169.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.1650875081.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4115163169.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe PID: 5924, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                          Contains functionality to steal Chrome passwords or cookies
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040B21B
                          Contains functionality to steal Firefox passwords or cookies
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040B335
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: \key3.db0_2_0040B335

                          Remote Access Functionality

                          barindex
                          Yara detected Remcos RAT
                          Source: Yara matchFile source: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.0.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.2.1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.4115432387.00000000022CF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4115163169.0000000000805000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.1650875081.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4115163169.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe PID: 5924, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                          Source: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exeCode function: cmd.exe0_2_00405042

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                          Native API                          		1
                          DLL Side-Loading                          		1
                          DLL Side-Loading                          		1
                          Deobfuscate/Decode Files or Information                          		1
                          OS Credential Dumping                          		2
                          System Time Discovery                          		Remote Services11
                          Archive Collected Data                          		12
                          Ingress Tool Transfer                          		Exfiltration Over Other Network Medium1
                          System Shutdown/Reboot
                          CredentialsDomainsDefault Accounts12
                          Command and Scripting Interpreter                          		1
                          Windows Service                          		1
                          Bypass User Account Control                          		2
                          Obfuscated Files or Information                          		211
                          Input Capture                          		1
                          Account Discovery                          		Remote Desktop Protocol211
                          Input Capture                          		2
                          Encrypted Channel                          		Exfiltration Over Bluetooth1
                          Defacement
                          Email AddressesDNS ServerDomain Accounts2
                          Service Execution                          		Logon Script (Windows)1
                          Access Token Manipulation                          		1
                          DLL Side-Loading                          		2
                          Credentials In Files                          		1
                          System Service Discovery                          		SMB/Windows Admin Shares3
                          Clipboard Data                          		1
                          Non-Standard Port                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                          Windows Service                          		1
                          Bypass User Account Control                          		NTDS2
                          File and Directory Discovery                          		Distributed Component Object ModelInput Capture2
                          Non-Application Layer Protocol                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                          Process Injection                          		1
                          Masquerading                          		LSA Secrets23
                          System Information Discovery                          		SSHKeylogging22
                          Application Layer Protocol                          		Scheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                          Virtualization/Sandbox Evasion                          		Cached Domain Credentials21
                          Security Software Discovery                          		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                          Access Token Manipulation                          		DCSync1
                          Virtualization/Sandbox Evasion                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                          Process Injection                          		Proc Filesystem2
                          Process Discovery                          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                          Application Window Discovery                          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                          System Owner/User Discovery                          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe68%ReversingLabsWin32.Backdoor.Remcos
                          1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                          1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe100%Joe Sandbox ML

                          Dropped Files

                          No Antivirus matches

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          rxsas.duckdns.org100%Avira URL Cloudmalware

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          rxsas.duckdns.org
                          		45.135.232.38
                          		truetrue
                            		unknown
                            geoplugin.net
                            		178.237.33.50
                            		truefalse
                              		high

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://geoplugin.net/json.gpfalse
                                		high
                                rxsas.duckdns.orgtrue
                                • Avira URL Cloud: malware
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://geoplugin.net/1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000003.1786279908.000000000081F000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://geoplugin.net/json.gpU1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000002.4115163169.0000000000805000.00000004.00000020.00020000.00000000.sdmp, 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000003.1786279908.0000000000805000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://geoplugin.net/json.gp/C1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exefalse
                                      		high
                                      http://geoplugin.net/json.gpSystem321732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000002.4115163169.00000000007AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://geoplugin.net/json.gprf(1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, 00000000.00000002.4115163169.00000000007AE000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high

                                          World Map of Contacted IPs

                                          • No. of IPs < 25%
                                          • 25% < No. of IPs < 50%
                                          • 50% < No. of IPs < 75%
                                          • 75% < No. of IPs

                                          Public IPs

                                          IPDomainCountryFlagASNASN NameMalicious
                                          45.135.232.38
                                          		rxsas.duckdns.orgRussian Federation
                                          		49392ASBAXETNRUtrue
                                          178.237.33.50
                                          		geoplugin.netNetherlands
                                          		8455ATOM86-ASATOM86NLfalse

                                          General Information

                                          Joe Sandbox version:41.0.0 Charoite
                                          Analysis ID:1564220
                                          Start date and time:2024-11-27 23:59:05 +01:00
                                          Joe Sandbox product:CloudBasic
                                          Overall analysis duration:0h 6m 27s
                                          Hypervisor based Inspection enabled:false
                                          Report type:full
                                          Cookbook file name:default.jbs
                                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                          Number of analysed new started processes analysed:5
                                          Number of new started drivers analysed:0
                                          Number of existing processes analysed:0
                                          Number of existing drivers analysed:0
                                          Number of injected processes analysed:0
                                          Technologies:
                                          • HCA enabled
                                          • EGA enabled
                                          • AMSI enabled
                                          Analysis Mode:default
                                          Analysis stop reason:Timeout
                                          Sample name:1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe
                                          Detection:MAL
                                          Classification:mal100.rans.troj.spyw.expl.evad.winEXE@1/2@2/2
                                          EGA Information:
                                          • Successful, ratio: 100%
                                          HCA Information:
                                          • Successful, ratio: 100%
                                          • Number of executed functions: 38
                                          • Number of non-executed functions: 197
                                          Cookbook Comments:
                                          • Found application associated with file extension: .exe
                                          • Override analysis time to 240s for sample files taking high CPU consumption

                                          Warnings

                                          • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                          • Not all processes where analyzed, report is missing behavior information
                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                          • VT rate limit hit for: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe

                                          Simulations

                                          Behavior and APIs

                                          TimeTypeDescription
                                          18:00:26API Interceptor7578710x Sleep call for process: 1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe modified

                                          Joe Sandbox View / Context

                                          IPs

                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                          45.135.232.3817315457645970cbc5e5c3aae0a844eb233aad28ea87b3b8a58910e225655f6d041f399ede930.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                            17312358643e2349e1394349def751b6d9e1f5f7d806ef332905ce99f25fe32ff480e138d6557.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                              1730879944d691bb811f5e0f33d6d0d5afc86cdfb09b3d0562ee86d2276a3358127f125d3c941.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                sostener.vbsGet hashmaliciousAsyncRAT, DcRatBrowse
                                                  172698102496c864a187aff64295ab0b70d4e0148fc884b8fdef49a9c604553959f0c4197e421.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                    1726981024afb0b5261027cf8cb56ba2e74288f35f8a8f03f714e141da3004c24e1b6d3c16555.dat-decoded.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                                      decode_3c3a2e81bb9b9ea689c7c8d6aa9e24c0af55f3915e14295a64263688c83f4ab7.exeGet hashmaliciousRemcosBrowse
                                                        sostener.vbsGet hashmaliciousRemcosBrowse
                                                          178.237.33.50173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                          • geoplugin.net/json.gp
                                                          UPS_CBIJ90511770131.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                          • geoplugin.net/json.gp
                                                          UPSCBIJ99581770131.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                          • geoplugin.net/json.gp
                                                          Chase_Bank_Payemnt_Advice.bat.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                          • geoplugin.net/json.gp
                                                          Factura_Pagada.pdf.bat.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                          • geoplugin.net/json.gp
                                                          Unicredit__Pagamento.pdf.bat.exeGet hashmaliciousRemcos, DarkTortillaBrowse
                                                          • geoplugin.net/json.gp
                                                          Purchase-Order27112024.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                          • geoplugin.net/json.gp
                                                          8gLdIfw09Wi50H5.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                          • geoplugin.net/json.gp
                                                          SERV27THNOVSCANNEDcopiesACCOUNT-SUMMARYcon3-2.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                          • geoplugin.net/json.gp
                                                          awb_shipping_post_27112024224782020031808174CN27112024000001124.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                          • geoplugin.net/json.gp

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          geoplugin.net173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                          • 178.237.33.50
                                                          UPS_CBIJ90511770131.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                          • 178.237.33.50
                                                          UPSCBIJ99581770131.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                          • 178.237.33.50
                                                          Chase_Bank_Payemnt_Advice.bat.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                          • 178.237.33.50
                                                          Factura_Pagada.pdf.bat.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                          • 178.237.33.50
                                                          Unicredit__Pagamento.pdf.bat.exeGet hashmaliciousRemcos, DarkTortillaBrowse
                                                          • 178.237.33.50
                                                          Purchase-Order27112024.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                          • 178.237.33.50
                                                          8gLdIfw09Wi50H5.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                          • 178.237.33.50
                                                          SERV27THNOVSCANNEDcopiesACCOUNT-SUMMARYcon3-2.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                          • 178.237.33.50
                                                          awb_shipping_post_27112024224782020031808174CN27112024000001124.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                          • 178.237.33.50

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          ASBAXETNRUmips.elfGet hashmaliciousUnknownBrowse
                                                          • 212.192.15.158
                                                          chelentano.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                          • 45.130.145.152
                                                          m2.exeGet hashmaliciousXmrigBrowse
                                                          • 194.87.31.45
                                                          9RM52QaURq.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                          • 45.130.145.152
                                                          HZ1BUCfTne.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                          • 45.130.145.152
                                                          9RM52QaURq.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                          • 45.130.145.152
                                                          bv2DbIiZeK.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                          • 45.130.145.152
                                                          brozer.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                          • 45.130.145.152
                                                          YU7jHNMJjG.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                          • 45.130.145.152
                                                          6Ev0Nd7z2t.exeGet hashmaliciousCredGrabber, Meduza StealerBrowse
                                                          • 45.130.145.152
                                                          ATOM86-ASATOM86NL173274744687e09b63aaee64ab5c6d3baa50ebd886d53d9deeef28fce7ab1e19ace8987105169.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                          • 178.237.33.50
                                                          UPS_CBIJ90511770131.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                          • 178.237.33.50
                                                          UPSCBIJ99581770131.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                          • 178.237.33.50
                                                          Chase_Bank_Payemnt_Advice.bat.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                          • 178.237.33.50
                                                          Factura_Pagada.pdf.bat.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                          • 178.237.33.50
                                                          Unicredit__Pagamento.pdf.bat.exeGet hashmaliciousRemcos, DarkTortillaBrowse
                                                          • 178.237.33.50
                                                          Purchase-Order27112024.scr.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                          • 178.237.33.50
                                                          8gLdIfw09Wi50H5.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                                          • 178.237.33.50
                                                          SERV27THNOVSCANNEDcopiesACCOUNT-SUMMARYcon3-2.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                          • 178.237.33.50
                                                          awb_shipping_post_27112024224782020031808174CN27112024000001124.vbsGet hashmaliciousGuLoader, RemcosBrowse
                                                          • 178.237.33.50

                                                          JA3 Fingerprints

                                                          No context

                                                          Dropped Files

                                                          No context

                                                          Created / dropped Files

                                                          C:\ProgramData\remcos\logs.dat

                                                          Download File
                                                          Process:C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe
                                                          File Type:data
                                                          Category:dropped
                                                          Size (bytes):144
                                                          Entropy (8bit):3.38816599775145
                                                          Encrypted:false
                                                          SSDEEP:3:rhlKlf15ZuNU5JWRal2Jl+7R0DAlBG45klovDl6v:6lf1KU5YcIeeDAlOWAv
                                                          MD5:393A6D247B600A489DC13A8C477230DC
                                                          SHA1:ADCA0AAD1526DB4CA3071FE31868142725F95F89
                                                          SHA-256:2AEF37F467BA1F87BF35C53EA20F83367C24E6F09AAA8D2A1D3C9E980DFB7068
                                                          SHA-512:1B90FBC7EBD9327CAA0C279D8A56C658FB03105565FD72B89005E35C7CAB152F2515D3F741421001711DD01ED6540EBB11A621C1137B720A2B56CA199001AA52
                                                          Malicious:true
                                                          Yara Hits:
                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                          Reputation:low
                                                          Preview:....[.2.0.2.4./.1.1./.2.7. .1.7.:.5.9.:.5.4. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                          C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\json[1].json

                                                          Download File
                                                          Process:C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe
                                                          File Type:JSON data
                                                          Category:dropped
                                                          Size (bytes):963
                                                          Entropy (8bit):5.014904284428935
                                                          Encrypted:false
                                                          SSDEEP:12:tkluJnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkwV:qluNdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                          MD5:B66CFB6461E507BB577CDE91F270844E
                                                          SHA1:6D952DE48032731679F8718D1F1C3F08202507C3
                                                          SHA-256:E231BBC873E9B30CCA58297CAA3E8945A4FC61556F378F2C5013B0DDCB7035BE
                                                          SHA-512:B5C1C188F10C9134EF38D0C5296E7AE95A7A486F858BE977F9A36D63CBE5790592881F3B8D12FEBBF1E555D0A9868632D9E590777E2D3143E74FD3A44C55575F
                                                          Malicious:false
                                                          Reputation:low
                                                          Preview:{. "geoplugin_request":"8.46.123.228",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                          Static File Info

                                                          General

                                                          File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                          Entropy (8bit):6.586349289263609
                                                          TrID:
                                                          • Win32 Executable (generic) a (10002005/4) 99.96%
                                                          • Generic Win/DOS Executable (2004/3) 0.02%
                                                          • DOS Executable Generic (2002/1) 0.02%
                                                          • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                          File name:1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe
                                                          File size:493'056 bytes
                                                          MD5:160c2784d173e7bb077ff0794a922488
                                                          SHA1:7ac9ad6a60cc685b24f65ba7715c2a85387eff62
                                                          SHA256:c3dcf0bb8f1a9506ec058c0b70f3335e02d3e9d83a5e3af370b917c097f191b6
                                                          SHA512:e807434084f7bc32b18b24fcfc397546d0287f3932bb567735eb4a9ec00a2c6be496eda4d505b26293ec028f4aed93b93b8bea5bbfd0dc5689ab78c5af94f1f6
                                                          SSDEEP:12288:3uD09AUkNIGBYYv4eK13x13nZHSRVMf139F5wIB7+IwtHwBtVxbesvZDSl+DY:q09AfNIEYsunZvZ19Z2s
                                                          TLSH:38A4BF01B6D2C072D57625300D26E775DEBDBD212835897BB3DA1D67FE30180E63AAB2
                                                          File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H....(..H....*..H....+..H...0]..H..&....H... ...H... ...H... ...H...0J..H...H...I...!...H...!&..H...!...H..Rich.H.

                                                          File Icon

                                                          Icon Hash:95694d05214c1b33

                                                          Static PE Info

                                                          General

                                                          Entrypoint:0x433b3a
                                                          Entrypoint Section:.text
                                                          Digitally signed:false
                                                          Imagebase:0x400000
                                                          Subsystem:windows gui
                                                          Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                          DLL Characteristics:TERMINAL_SERVER_AWARE
                                                          Time Stamp:0x6724916B [Fri Nov 1 08:29:31 2024 UTC]
                                                          TLS Callbacks:
                                                          CLR (.Net) Version:
                                                          OS Version Major:5
                                                          OS Version Minor:1
                                                          File Version Major:5
                                                          File Version Minor:1
                                                          Subsystem Version Major:5
                                                          Subsystem Version Minor:1
                                                          Import Hash:e77512f955eaf60ccff45e02d69234de

                                                          Entrypoint Preview

                                                          Instruction
                                                          call 00007FCE1CC9FEA3h
                                                          jmp 00007FCE1CC9F7FFh
                                                          push ebp
                                                          mov ebp, esp
                                                          sub esp, 00000324h
                                                          push ebx
                                                          push 00000017h
                                                          call 00007FCE1CCC1CD9h
                                                          test eax, eax
                                                          je 00007FCE1CC9F987h
                                                          mov ecx, dword ptr [ebp+08h]
                                                          int 29h
                                                          push 00000003h
                                                          call 00007FCE1CC9FB44h
                                                          mov dword ptr [esp], 000002CCh
                                                          lea eax, dword ptr [ebp-00000324h]
                                                          push 00000000h
                                                          push eax
                                                          call 00007FCE1CCA1E5Bh
                                                          add esp, 0Ch
                                                          mov dword ptr [ebp-00000274h], eax
                                                          mov dword ptr [ebp-00000278h], ecx
                                                          mov dword ptr [ebp-0000027Ch], edx
                                                          mov dword ptr [ebp-00000280h], ebx
                                                          mov dword ptr [ebp-00000284h], esi
                                                          mov dword ptr [ebp-00000288h], edi
                                                          mov word ptr [ebp-0000025Ch], ss
                                                          mov word ptr [ebp-00000268h], cs
                                                          mov word ptr [ebp-0000028Ch], ds
                                                          mov word ptr [ebp-00000290h], es
                                                          mov word ptr [ebp-00000294h], fs
                                                          mov word ptr [ebp-00000298h], gs
                                                          pushfd
                                                          pop dword ptr [ebp-00000264h]
                                                          mov eax, dword ptr [ebp+04h]
                                                          mov dword ptr [ebp-0000026Ch], eax
                                                          lea eax, dword ptr [ebp+04h]
                                                          mov dword ptr [ebp-00000260h], eax
                                                          mov dword ptr [ebp-00000324h], 00010001h
                                                          mov eax, dword ptr [eax-04h]
                                                          push 00000050h
                                                          mov dword ptr [ebp-00000270h], eax
                                                          lea eax, dword ptr [ebp-58h]
                                                          push 00000000h
                                                          push eax
                                                          call 00007FCE1CCA1DD1h

                                                          Rich Headers

                                                          Programming Language:
                                                          • [C++] VS2008 SP1 build 30729
                                                          • [IMP] VS2008 SP1 build 30729

                                                          Data Directories

                                                          NameVirtual AddressVirtual Size Is in Section
                                                          IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IMPORT0x6e0200x104.rdata
                                                          IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x4ac8.rsrc
                                                          IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_BASERELOC0x7b0000x3b80.reloc
                                                          IMAGE_DIRECTORY_ENTRY_DEBUG0x6c5100x38.rdata
                                                          IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_TLS0x6c5e80x18.rdata
                                                          IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6c5480x40.rdata
                                                          IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_IAT0x570000x4f4.rdata
                                                          IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                          IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                          Sections

                                                          NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                          .text0x10000x55f1d0x5600030cda225e02a0d4dab478a6c7c094860False0.5738610555959303data6.62127843313247IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                          .rdata0x570000x18b000x18c009800e1a5325bb58aa054e318c8bb055aFalse0.49812578914141414OpenPGP Secret Key Version 65.758930104385571IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .data0x700000x5d6c0xe0006414e748130e7e668ba2ba172d63448False0.22684151785714285data3.093339598098017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                          .rsrc0x760000x4ac80x4c00e310e52ea119e1c4714ef4bc2d82f246False0.2767269736842105data3.98276538281328IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                          .reloc0x7b0000x3b800x3c003a880743591ae3410d0dc26d7322ddd0False0.7569661458333333data6.695050823503309IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                          Resources

                                                          NameRVASizeTypeLanguageCountryZLIB Complexity
                                                          RT_ICON0x7618c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                                          RT_ICON0x765f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                                          RT_ICON0x76f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                                          RT_ICON0x780240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                                          RT_RCDATA0x7a5cc0x4b9data1.0090984284532671
                                                          RT_GROUP_ICON0x7aa880x3edataEnglishUnited States0.8064516129032258

                                                          Imports

                                                          DLLImport
                                                          KERNEL32.dllExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, LoadLibraryA, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, SetConsoleOutputCP, FormatMessageA, FindFirstFileA, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, HeapReAlloc, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetACP, GetModuleHandleExW, MoveFileExW, LoadLibraryExW, RaiseException, RtlUnwind, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, MultiByteToWideChar, DecodePointer, EncodePointer, TlsFree, TlsSetValue, GetFileSize, TerminateThread, GetLastError, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, CreateDirectoryW, GetLogicalDriveStringsA, DeleteFileW, FindNextFileA, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, GetProcAddress, CreateMutexA, GetCurrentProcess, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, FindNextVolumeW, TlsGetValue, TlsAlloc, SwitchToThread, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, InitializeCriticalSectionAndSpinCount, SetEndOfFile
                                                          USER32.dllDefWindowProcA, TranslateMessage, DispatchMessageA, GetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CreateWindowExA, SendInput, EnumDisplaySettingsW, mouse_event, MapVirtualKeyA, TrackPopupMenu, CreatePopupMenu, AppendMenuA, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetIconInfo, GetSystemMetrics, CloseWindow, DrawIcon
                                                          GDI32.dllBitBlt, CreateCompatibleBitmap, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteDC, DeleteObject, CreateDCA, GetObjectA, SelectObject
                                                          ADVAPI32.dllLookupPrivilegeValueA, CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, RegDeleteKeyA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW
                                                          SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                                          ole32.dllCoInitializeEx, CoGetObject, CoUninitialize
                                                          SHLWAPI.dllStrToIntA, PathFileExistsW, PathFileExistsA
                                                          WINMM.dllmciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInStart, waveInUnprepareHeader, waveInOpen, waveInAddBuffer, waveInPrepareHeader, PlaySoundW
                                                          WS2_32.dllsend, WSAStartup, socket, connect, WSAGetLastError, recv, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, gethostbyname
                                                          urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                                                          gdiplus.dllGdipAlloc, GdiplusStartup, GdipGetImageEncoders, GdipLoadImageFromStream, GdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipCloneImage
                                                          WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                                                          Possible Origin

                                                          Language of compilation systemCountry where language is spokenMap
                                                          EnglishUnited States

                                                          Network Behavior

                                                          Suricata IDS Alerts

                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                          2024-11-27T23:59:56.770427+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.44973045.135.232.3857870TCP
                                                          2024-11-28T00:00:08.223643+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.449731178.237.33.5080TCP

                                                          Network Port Distribution

                                                          TCP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Nov 27, 2024 23:59:55.166271925 CET4973057870192.168.2.445.135.232.38
                                                          Nov 27, 2024 23:59:55.290050030 CET578704973045.135.232.38192.168.2.4
                                                          Nov 27, 2024 23:59:55.290129900 CET4973057870192.168.2.445.135.232.38
                                                          Nov 27, 2024 23:59:55.296065092 CET4973057870192.168.2.445.135.232.38
                                                          Nov 27, 2024 23:59:55.419905901 CET578704973045.135.232.38192.168.2.4
                                                          Nov 27, 2024 23:59:56.718712091 CET578704973045.135.232.38192.168.2.4
                                                          Nov 27, 2024 23:59:56.770426989 CET4973057870192.168.2.445.135.232.38
                                                          Nov 27, 2024 23:59:56.960558891 CET578704973045.135.232.38192.168.2.4
                                                          Nov 27, 2024 23:59:57.004802942 CET4973057870192.168.2.445.135.232.38
                                                          Nov 27, 2024 23:59:57.010792017 CET4973057870192.168.2.445.135.232.38
                                                          Nov 27, 2024 23:59:57.134551048 CET578704973045.135.232.38192.168.2.4
                                                          Nov 27, 2024 23:59:57.134753942 CET4973057870192.168.2.445.135.232.38
                                                          Nov 27, 2024 23:59:57.258538961 CET578704973045.135.232.38192.168.2.4
                                                          Nov 28, 2024 00:00:06.396516085 CET578704973045.135.232.38192.168.2.4
                                                          Nov 28, 2024 00:00:06.398143053 CET4973057870192.168.2.445.135.232.38
                                                          Nov 28, 2024 00:00:06.521894932 CET578704973045.135.232.38192.168.2.4
                                                          Nov 28, 2024 00:00:06.597470045 CET578704973045.135.232.38192.168.2.4
                                                          Nov 28, 2024 00:00:06.645472050 CET4973057870192.168.2.445.135.232.38
                                                          Nov 28, 2024 00:00:06.791476965 CET4973180192.168.2.4178.237.33.50
                                                          Nov 28, 2024 00:00:06.915210962 CET8049731178.237.33.50192.168.2.4
                                                          Nov 28, 2024 00:00:06.915323973 CET4973180192.168.2.4178.237.33.50
                                                          Nov 28, 2024 00:00:06.915455103 CET4973180192.168.2.4178.237.33.50
                                                          Nov 28, 2024 00:00:07.039175987 CET8049731178.237.33.50192.168.2.4
                                                          Nov 28, 2024 00:00:08.223526001 CET8049731178.237.33.50192.168.2.4
                                                          Nov 28, 2024 00:00:08.223643064 CET4973180192.168.2.4178.237.33.50
                                                          Nov 28, 2024 00:00:08.423186064 CET4973057870192.168.2.445.135.232.38
                                                          Nov 28, 2024 00:00:08.547426939 CET578704973045.135.232.38192.168.2.4
                                                          Nov 28, 2024 00:00:09.224442005 CET8049731178.237.33.50192.168.2.4
                                                          Nov 28, 2024 00:00:09.224895000 CET4973180192.168.2.4178.237.33.50
                                                          Nov 28, 2024 00:00:20.946815014 CET578704973045.135.232.38192.168.2.4
                                                          Nov 28, 2024 00:00:20.975642920 CET4973057870192.168.2.445.135.232.38
                                                          Nov 28, 2024 00:00:21.099371910 CET578704973045.135.232.38192.168.2.4
                                                          Nov 28, 2024 00:00:50.970478058 CET578704973045.135.232.38192.168.2.4
                                                          Nov 28, 2024 00:00:50.971817017 CET4973057870192.168.2.445.135.232.38
                                                          Nov 28, 2024 00:00:51.095701933 CET578704973045.135.232.38192.168.2.4
                                                          Nov 28, 2024 00:01:20.992203951 CET578704973045.135.232.38192.168.2.4
                                                          Nov 28, 2024 00:01:21.043669939 CET4973057870192.168.2.445.135.232.38
                                                          Nov 28, 2024 00:01:21.168044090 CET578704973045.135.232.38192.168.2.4
                                                          Nov 28, 2024 00:01:51.016349077 CET578704973045.135.232.38192.168.2.4
                                                          Nov 28, 2024 00:01:51.018244982 CET4973057870192.168.2.445.135.232.38
                                                          Nov 28, 2024 00:01:51.142277002 CET578704973045.135.232.38192.168.2.4
                                                          Nov 28, 2024 00:01:56.614516973 CET4973180192.168.2.4178.237.33.50
                                                          Nov 28, 2024 00:01:57.020673990 CET4973180192.168.2.4178.237.33.50
                                                          Nov 28, 2024 00:01:57.723450899 CET4973180192.168.2.4178.237.33.50
                                                          Nov 28, 2024 00:01:59.020313978 CET4973180192.168.2.4178.237.33.50
                                                          Nov 28, 2024 00:02:01.520302057 CET4973180192.168.2.4178.237.33.50
                                                          Nov 28, 2024 00:02:06.422115088 CET4973180192.168.2.4178.237.33.50
                                                          Nov 28, 2024 00:02:16.119997978 CET4973180192.168.2.4178.237.33.50
                                                          Nov 28, 2024 00:02:21.058840990 CET578704973045.135.232.38192.168.2.4
                                                          Nov 28, 2024 00:02:21.060233116 CET4973057870192.168.2.445.135.232.38
                                                          Nov 28, 2024 00:02:21.184026003 CET578704973045.135.232.38192.168.2.4
                                                          Nov 28, 2024 00:02:51.067518950 CET578704973045.135.232.38192.168.2.4
                                                          Nov 28, 2024 00:02:51.070394993 CET4973057870192.168.2.445.135.232.38
                                                          Nov 28, 2024 00:02:51.194104910 CET578704973045.135.232.38192.168.2.4
                                                          Nov 28, 2024 00:03:21.089271069 CET578704973045.135.232.38192.168.2.4
                                                          Nov 28, 2024 00:03:21.091479063 CET4973057870192.168.2.445.135.232.38
                                                          Nov 28, 2024 00:03:21.215574980 CET578704973045.135.232.38192.168.2.4
                                                          Nov 28, 2024 00:03:51.113063097 CET578704973045.135.232.38192.168.2.4
                                                          Nov 28, 2024 00:03:51.114645004 CET4973057870192.168.2.445.135.232.38
                                                          Nov 28, 2024 00:03:51.238465071 CET578704973045.135.232.38192.168.2.4

                                                          UDP Packets

                                                          TimestampSource PortDest PortSource IPDest IP
                                                          Nov 27, 2024 23:59:54.830121040 CET6499553192.168.2.41.1.1.1
                                                          Nov 27, 2024 23:59:55.163420916 CET53649951.1.1.1192.168.2.4
                                                          Nov 28, 2024 00:00:06.638755083 CET5967453192.168.2.41.1.1.1
                                                          Nov 28, 2024 00:00:06.782464027 CET53596741.1.1.1192.168.2.4

                                                          DNS Queries

                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                          Nov 27, 2024 23:59:54.830121040 CET192.168.2.41.1.1.10x2c35Standard query (0)rxsas.duckdns.orgA (IP address)IN (0x0001)false
                                                          Nov 28, 2024 00:00:06.638755083 CET192.168.2.41.1.1.10xaa17Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                          DNS Answers

                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                          Nov 27, 2024 23:59:55.163420916 CET1.1.1.1192.168.2.40x2c35No error (0)rxsas.duckdns.org45.135.232.38A (IP address)IN (0x0001)false
                                                          Nov 28, 2024 00:00:06.782464027 CET1.1.1.1192.168.2.40xaa17No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                          HTTP Request Dependency Graph

                                                          • geoplugin.net

                                                          HTTP Packets

                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                          0192.168.2.449731178.237.33.50805924C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe
                                                          TimestampBytes transferredDirectionData
                                                          Nov 28, 2024 00:00:06.915455103 CET71OUTGET /json.gp HTTP/1.1
                                                          Host: geoplugin.net
                                                          Cache-Control: no-cache
                                                          Nov 28, 2024 00:00:08.223526001 CET1171INHTTP/1.1 200 OK
                                                          date: Wed, 27 Nov 2024 23:00:08 GMT
                                                          server: Apache
                                                          content-length: 963
                                                          content-type: application/json; charset=utf-8
                                                          cache-control: public, max-age=300
                                                          access-control-allow-origin: *
                                                          Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                          Data Ascii: { "geoplugin_request":"8.46.123.228", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                          Statistics

                                                          CPU Usage

                                                          Click to jump to process

                                                          Memory Usage

                                                          Click to jump to process

                                                          High Level Behavior Distribution

                                                          Click to dive into process behavior distribution

                                                          System Behavior

                                                          General

                                                          Target ID:0
                                                          Start time:17:59:54
                                                          Start date:27/11/2024
                                                          Path:C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe
                                                          Wow64 process (32bit):true
                                                          Commandline:"C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe"
                                                          Imagebase:0x400000
                                                          File size:493'056 bytes
                                                          MD5 hash:160C2784D173E7BB077FF0794A922488
                                                          Has elevated privileges:true
                                                          Has administrator privileges:true
                                                          Programmed in:C, C++ or other language
                                                          Yara matches:
                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4115432387.00000000022CF000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4115163169.0000000000805000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.1650875081.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.1650875081.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.1650875081.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                          • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.1650875081.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                          • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4115163169.00000000007AE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                          Reputation:low
                                                          Has exited:false

                                                          Disassembly

                                                          Reset < >

                                                            Execution Graph

                                                            Execution Coverage:4.3%
                                                            Dynamic/Decrypted Code Coverage:0%
                                                            Signature Coverage:22.8%
                                                            Total number of Nodes:1327
                                                            Total number of Limit Nodes:65
                                                            execution_graph 45551 41d4d0 45553 41d4e6 ctype ___scrt_fastfail 45551->45553 45552 41d6e3 45557 41d734 45552->45557 45567 41d071 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 45552->45567 45553->45552 45572 431f99 21 API calls ___crtLCMapStringA 45553->45572 45556 41d6f4 45556->45557 45558 41d760 45556->45558 45568 431f99 21 API calls ___crtLCMapStringA 45556->45568 45558->45557 45575 41d474 21 API calls ___scrt_fastfail 45558->45575 45559 41d696 ___scrt_fastfail 45559->45557 45573 431f99 21 API calls ___crtLCMapStringA 45559->45573 45563 41d72d ___scrt_fastfail 45563->45557 45569 43264f 45563->45569 45565 41d6be ___scrt_fastfail 45565->45557 45574 431f99 21 API calls ___crtLCMapStringA 45565->45574 45567->45556 45568->45563 45576 43256f 45569->45576 45571 432657 45571->45558 45572->45559 45573->45565 45574->45552 45575->45557 45577 43257e 45576->45577 45578 432588 45576->45578 45577->45571 45578->45577 45582 431f99 21 API calls ___crtLCMapStringA 45578->45582 45580 4325a9 45580->45577 45583 43293a CryptAcquireContextA 45580->45583 45582->45580 45584 432956 45583->45584 45585 43295b CryptGenRandom 45583->45585 45584->45577 45585->45584 45586 432970 CryptReleaseContext 45585->45586 45586->45584 45587 426030 45592 4260f7 recv 45587->45592 45593 44e8b6 45594 44e8c1 45593->45594 45595 44e8e9 45594->45595 45596 44e8da 45594->45596 45597 44e8f8 45595->45597 45615 455573 27 API calls 2 library calls 45595->45615 45614 445354 20 API calls _free 45596->45614 45602 44b9be 45597->45602 45601 44e8df ___scrt_fastfail 45603 44b9d6 45602->45603 45604 44b9cb 45602->45604 45606 44b9de 45603->45606 45612 44b9e7 _strftime 45603->45612 45616 446aff 45604->45616 45623 446ac5 45606->45623 45608 44ba11 RtlReAllocateHeap 45610 44b9d3 45608->45610 45608->45612 45609 44b9ec 45629 445354 20 API calls _free 45609->45629 45610->45601 45612->45608 45612->45609 45630 442200 7 API calls 2 library calls 45612->45630 45614->45601 45615->45597 45617 446b3d 45616->45617 45618 446b0d _strftime 45616->45618 45632 445354 20 API calls _free 45617->45632 45618->45617 45620 446b28 RtlAllocateHeap 45618->45620 45631 442200 7 API calls 2 library calls 45618->45631 45620->45618 45621 446b3b 45620->45621 45621->45610 45624 446ad0 RtlFreeHeap 45623->45624 45625 446af9 _free 45623->45625 45624->45625 45626 446ae5 45624->45626 45625->45610 45633 445354 20 API calls _free 45626->45633 45628 446aeb GetLastError 45628->45625 45629->45610 45630->45612 45631->45618 45632->45621 45633->45628 45634 426091 45639 42610e send 45634->45639 45640 425e56 45641 425e6b 45640->45641 45653 425f0b 45640->45653 45642 425eb9 45641->45642 45643 425f77 45641->45643 45644 425f9e 45641->45644 45648 425f5a 45641->45648 45651 425eee 45641->45651 45641->45653 45655 425f25 45641->45655 45668 424354 50 API calls ctype 45641->45668 45642->45651 45642->45653 45669 41f075 54 API calls 45642->45669 45643->45644 45643->45653 45656 424f78 45643->45656 45644->45653 45673 4255c7 28 API calls 45644->45673 45648->45643 45672 424b7b 21 API calls 45648->45672 45651->45653 45651->45655 45670 424354 50 API calls ctype 45651->45670 45655->45648 45655->45653 45671 41f075 54 API calls 45655->45671 45658 424f97 ___scrt_fastfail 45656->45658 45657 424fab 45663 424fcb 45657->45663 45664 424fb4 45657->45664 45677 41cf6e 50 API calls 45657->45677 45660 424fa6 45658->45660 45658->45663 45674 41e097 21 API calls 45658->45674 45660->45657 45660->45663 45675 41fad4 47 API calls 45660->45675 45663->45644 45664->45663 45678 424185 21 API calls 2 library calls 45664->45678 45666 42504e 45666->45663 45676 431f99 21 API calls ___crtLCMapStringA 45666->45676 45668->45642 45669->45642 45670->45655 45671->45655 45672->45643 45673->45653 45674->45660 45675->45666 45676->45657 45677->45664 45678->45663 45679 43a998 45682 43a9a4 _swprintf CallCatchBlock 45679->45682 45680 43a9b2 45697 445354 20 API calls _free 45680->45697 45682->45680 45685 43a9dc 45682->45685 45683 43a9b7 45698 43a827 26 API calls _Deallocate 45683->45698 45692 444acc EnterCriticalSection 45685->45692 45687 43a9e7 45693 43aa88 45687->45693 45689 43a9c2 std::_Locinfo::_Locinfo_dtor 45692->45687 45695 43aa96 45693->45695 45694 43a9f2 45699 43aa0f LeaveCriticalSection std::_Lockit::~_Lockit 45694->45699 45695->45694 45700 448416 39 API calls 2 library calls 45695->45700 45697->45683 45698->45689 45699->45689 45700->45695 45701 414dba 45716 41a51b 45701->45716 45703 414dc3 45726 401fbd 45703->45726 45707 414dde 45708 4161f2 45707->45708 45731 401eea 45707->45731 45735 401d8c 45708->45735 45711 4161fb 45712 401eea 26 API calls 45711->45712 45713 416207 45712->45713 45714 401eea 26 API calls 45713->45714 45715 416213 45714->45715 45717 41a529 45716->45717 45741 43a88c 45717->45741 45720 41a55c InternetReadFile 45724 41a57f 45720->45724 45722 41a5ac InternetCloseHandle InternetCloseHandle 45723 41a5be 45722->45723 45723->45703 45724->45720 45724->45722 45725 401eea 26 API calls 45724->45725 45748 401f86 45724->45748 45725->45724 45727 401fcc 45726->45727 45759 402501 45727->45759 45729 401fea 45730 404468 60 API calls ctype 45729->45730 45730->45707 45732 4021b9 45731->45732 45733 4021e8 45732->45733 45764 40262e 26 API calls _Deallocate 45732->45764 45733->45708 45736 40200a 45735->45736 45740 40203a 45736->45740 45765 402654 26 API calls 45736->45765 45738 40202b 45766 4026ba 26 API calls _Deallocate 45738->45766 45740->45711 45743 446aff _strftime 45741->45743 45742 446b3d 45753 445354 20 API calls _free 45742->45753 45743->45742 45745 446b28 RtlAllocateHeap 45743->45745 45752 442200 7 API calls 2 library calls 45743->45752 45745->45743 45746 41a533 InternetOpenW InternetOpenUrlW 45745->45746 45746->45720 45749 401f8e 45748->45749 45754 402325 45749->45754 45751 401fa4 45751->45724 45752->45743 45753->45746 45755 40232f 45754->45755 45757 40233a 45755->45757 45758 40294a 28 API calls 45755->45758 45757->45751 45758->45757 45760 40250d 45759->45760 45762 40252b 45760->45762 45763 40261a 28 API calls 45760->45763 45762->45729 45763->45762 45764->45733 45765->45738 45766->45740 45767 402bcc 45768 402bd7 45767->45768 45769 402bdf 45767->45769 45785 403315 28 API calls _Deallocate 45768->45785 45771 402beb 45769->45771 45775 4015d3 45769->45775 45772 402bdd 45777 43360d 45775->45777 45776 43a88c ___crtLCMapStringA 21 API calls 45776->45777 45777->45776 45778 402be9 45777->45778 45781 43362e std::_Facet_Register 45777->45781 45786 442200 7 API calls 2 library calls 45777->45786 45780 433dec std::_Facet_Register 45788 437bd7 RaiseException 45780->45788 45781->45780 45787 437bd7 RaiseException 45781->45787 45783 433e09 45785->45772 45786->45777 45787->45780 45788->45783 45789 4339be 45790 4339ca CallCatchBlock 45789->45790 45821 4336b3 45790->45821 45792 4339d1 45793 433b24 45792->45793 45796 4339fb 45792->45796 46121 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 45793->46121 45795 433b2b 46122 4426be 28 API calls _abort 45795->46122 45808 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 45796->45808 46115 4434d1 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 45796->46115 45798 433b31 46123 442670 28 API calls _abort 45798->46123 45801 433a14 45803 433a1a 45801->45803 46116 443475 5 API calls __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 45801->46116 45802 433b39 45805 433a9b 45832 433c5e 45805->45832 45808->45805 46117 43edf4 38 API calls 3 library calls 45808->46117 45815 433abd 45815->45795 45816 433ac1 45815->45816 45817 433aca 45816->45817 46119 442661 28 API calls _abort 45816->46119 46120 433842 13 API calls 2 library calls 45817->46120 45820 433ad2 45820->45803 45822 4336bc 45821->45822 46124 433e0a IsProcessorFeaturePresent 45822->46124 45824 4336c8 46125 4379ee 10 API calls 3 library calls 45824->46125 45826 4336cd 45831 4336d1 45826->45831 46126 44335e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 45826->46126 45828 4336da 45829 4336e8 45828->45829 46127 437a17 8 API calls 3 library calls 45828->46127 45829->45792 45831->45792 46128 436050 45832->46128 45835 433aa1 45836 443422 45835->45836 46130 44ddc9 45836->46130 45838 433aaa 45841 40d767 45838->45841 45839 44342b 45839->45838 46134 44e0d3 38 API calls 45839->46134 46136 41bce3 LoadLibraryA GetProcAddress 45841->46136 45843 40d783 GetModuleFileNameW 46141 40e168 45843->46141 45845 40d79f 45846 401fbd 28 API calls 45845->45846 45847 40d7ae 45846->45847 45848 401fbd 28 API calls 45847->45848 45849 40d7bd 45848->45849 46156 41afc3 45849->46156 45853 40d7cf 45854 401d8c 26 API calls 45853->45854 45855 40d7d8 45854->45855 45856 40d835 45855->45856 45857 40d7eb 45855->45857 46181 401d64 45856->46181 46435 40e986 90 API calls 45857->46435 45860 40d845 45863 401d64 28 API calls 45860->45863 45861 40d7fd 45862 401d64 28 API calls 45861->45862 45865 40d809 45862->45865 45864 40d864 45863->45864 46186 404cbf 45864->46186 46436 40e937 68 API calls 45865->46436 45867 40d873 46190 405ce6 45867->46190 45870 40d87f 46193 401eef 45870->46193 45871 40d824 46437 40e155 68 API calls 45871->46437 45874 40d88b 45875 401eea 26 API calls 45874->45875 45876 40d894 45875->45876 45878 401eea 26 API calls 45876->45878 45877 401eea 26 API calls 45879 40dc9f 45877->45879 45880 40d89d 45878->45880 46118 433c94 GetModuleHandleW 45879->46118 45881 401d64 28 API calls 45880->45881 45882 40d8a6 45881->45882 46197 401ebd 45882->46197 45884 40d8b1 45885 401d64 28 API calls 45884->45885 45886 40d8ca 45885->45886 45887 401d64 28 API calls 45886->45887 45889 40d8e5 45887->45889 45888 40d946 45890 401d64 28 API calls 45888->45890 45905 40e134 45888->45905 45889->45888 46438 4085b4 45889->46438 45896 40d95d 45890->45896 45892 40d912 45893 401eef 26 API calls 45892->45893 45894 40d91e 45893->45894 45897 401eea 26 API calls 45894->45897 45895 40d9a4 46201 40bed7 45895->46201 45896->45895 45902 4124b7 3 API calls 45896->45902 45899 40d927 45897->45899 46442 4124b7 RegOpenKeyExA 45899->46442 45900 40d9aa 45901 40d82d 45900->45901 46204 41a463 45900->46204 45901->45877 45907 40d988 45902->45907 46520 412902 30 API calls 45905->46520 45906 40d9c5 45908 40da18 45906->45908 46221 40697b 45906->46221 45907->45895 46445 412902 30 API calls 45907->46445 45910 401d64 28 API calls 45908->45910 45913 40da21 45910->45913 45922 40da32 45913->45922 45923 40da2d 45913->45923 45915 40e14a 46521 4112b5 64 API calls ___scrt_fastfail 45915->46521 45916 40d9e4 46446 40699d 30 API calls 45916->46446 45917 40d9ee 45921 401d64 28 API calls 45917->45921 45930 40d9f7 45921->45930 45927 401d64 28 API calls 45922->45927 46449 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 45923->46449 45924 40d9e9 46447 4064d0 97 API calls 45924->46447 45928 40da3b 45927->45928 46225 41ae08 45928->46225 45930->45908 45933 40da13 45930->45933 45931 40da46 46229 401e18 45931->46229 46448 4064d0 97 API calls 45933->46448 45934 40da51 46233 401e13 45934->46233 45937 40da5a 45938 401d64 28 API calls 45937->45938 45939 40da63 45938->45939 45940 401d64 28 API calls 45939->45940 45941 40da7d 45940->45941 45942 401d64 28 API calls 45941->45942 45943 40da97 45942->45943 45944 401d64 28 API calls 45943->45944 45946 40dab0 45944->45946 45945 40db1d 45948 40db2c 45945->45948 45953 40dcaa ___scrt_fastfail 45945->45953 45946->45945 45947 401d64 28 API calls 45946->45947 45952 40dac5 _wcslen 45947->45952 45949 40db35 45948->45949 45977 40dbb1 ___scrt_fastfail 45948->45977 45950 401d64 28 API calls 45949->45950 45951 40db3e 45950->45951 45954 401d64 28 API calls 45951->45954 45952->45945 45955 401d64 28 API calls 45952->45955 46509 41265d RegOpenKeyExA 45953->46509 45956 40db50 45954->45956 45957 40dae0 45955->45957 45959 401d64 28 API calls 45956->45959 45961 401d64 28 API calls 45957->45961 45960 40db62 45959->45960 45964 401d64 28 API calls 45960->45964 45962 40daf5 45961->45962 46450 40c89e 45962->46450 45963 40dcef 45965 401d64 28 API calls 45963->45965 45966 40db8b 45964->45966 45967 40dd16 45965->45967 45972 401d64 28 API calls 45966->45972 46247 401f66 45967->46247 45970 401e18 26 API calls 45971 40db14 45970->45971 45974 401e13 26 API calls 45971->45974 45975 40db9c 45972->45975 45974->45945 46507 40bc67 46 API calls _wcslen 45975->46507 45976 40dd25 46251 4126d2 RegCreateKeyA 45976->46251 46237 4128a2 45977->46237 45982 40dc45 ctype 45986 401d64 28 API calls 45982->45986 45983 40dbac 45983->45977 45984 401d64 28 API calls 45985 40dd47 45984->45985 46257 43a5e7 45985->46257 45987 40dc5c 45986->45987 45987->45963 45991 40dc70 45987->45991 45990 40dd5e 46512 41beb0 87 API calls ___scrt_fastfail 45990->46512 45993 401d64 28 API calls 45991->45993 45992 40dd81 45996 401f66 28 API calls 45992->45996 45994 40dc7e 45993->45994 45997 41ae08 28 API calls 45994->45997 45999 40dd96 45996->45999 46000 40dc87 45997->46000 45998 40dd65 CreateThread 45998->45992 47213 41c96f 10 API calls 45998->47213 46001 401f66 28 API calls 45999->46001 46508 40e219 112 API calls 46000->46508 46003 40dda5 46001->46003 46261 41a686 46003->46261 46004 40dc8c 46004->45963 46006 40dc93 46004->46006 46006->45901 46008 401d64 28 API calls 46009 40ddb6 46008->46009 46010 401d64 28 API calls 46009->46010 46011 40ddcb 46010->46011 46012 401d64 28 API calls 46011->46012 46013 40ddeb 46012->46013 46014 43a5e7 42 API calls 46013->46014 46015 40ddf8 46014->46015 46016 401d64 28 API calls 46015->46016 46017 40de03 46016->46017 46018 401d64 28 API calls 46017->46018 46019 40de14 46018->46019 46020 401d64 28 API calls 46019->46020 46021 40de29 46020->46021 46022 401d64 28 API calls 46021->46022 46023 40de3a 46022->46023 46024 40de41 StrToIntA 46023->46024 46285 409517 46024->46285 46027 401d64 28 API calls 46028 40de5c 46027->46028 46029 40dea1 46028->46029 46030 40de68 46028->46030 46032 401d64 28 API calls 46029->46032 46513 43360d 22 API calls 3 library calls 46030->46513 46034 40deb1 46032->46034 46033 40de71 46035 401d64 28 API calls 46033->46035 46038 40def9 46034->46038 46039 40debd 46034->46039 46036 40de84 46035->46036 46037 40de8b CreateThread 46036->46037 46037->46029 47210 419128 109 API calls __EH_prolog 46037->47210 46041 401d64 28 API calls 46038->46041 46514 43360d 22 API calls 3 library calls 46039->46514 46042 40df02 46041->46042 46046 40df6c 46042->46046 46047 40df0e 46042->46047 46043 40dec6 46044 401d64 28 API calls 46043->46044 46045 40ded8 46044->46045 46050 40dedf CreateThread 46045->46050 46048 401d64 28 API calls 46046->46048 46049 401d64 28 API calls 46047->46049 46051 40df75 46048->46051 46052 40df1e 46049->46052 46050->46038 47209 419128 109 API calls __EH_prolog 46050->47209 46053 40df81 46051->46053 46054 40dfba 46051->46054 46055 401d64 28 API calls 46052->46055 46057 401d64 28 API calls 46053->46057 46310 41a7a2 GetComputerNameExW GetUserNameW 46054->46310 46058 40df33 46055->46058 46060 40df8a 46057->46060 46515 40c854 32 API calls 46058->46515 46065 401d64 28 API calls 46060->46065 46061 401e18 26 API calls 46062 40dfce 46061->46062 46064 401e13 26 API calls 46062->46064 46067 40dfd7 46064->46067 46068 40df9f 46065->46068 46066 40df46 46069 401e18 26 API calls 46066->46069 46070 40dfe0 SetProcessDEPPolicy 46067->46070 46071 40dfe3 CreateThread 46067->46071 46076 43a5e7 42 API calls 46068->46076 46072 40df52 46069->46072 46070->46071 46074 40e004 46071->46074 46075 40dff8 CreateThread 46071->46075 47182 40e54f 46071->47182 46073 401e13 26 API calls 46072->46073 46077 40df5b CreateThread 46073->46077 46078 40e019 46074->46078 46079 40e00d CreateThread 46074->46079 46075->46074 47211 410f36 138 API calls 46075->47211 46080 40dfac 46076->46080 46077->46046 47212 40196b 49 API calls 46077->47212 46081 40e073 46078->46081 46083 401f66 28 API calls 46078->46083 46079->46078 47214 411524 38 API calls ___scrt_fastfail 46079->47214 46516 40b95c 7 API calls 46080->46516 46321 41246e RegOpenKeyExA 46081->46321 46084 40e046 46083->46084 46517 404c9e 28 API calls 46084->46517 46088 40e053 46090 401f66 28 API calls 46088->46090 46089 40e12a 46333 40cbac 46089->46333 46092 40e062 46090->46092 46091 41ae08 28 API calls 46094 40e0a4 46091->46094 46095 41a686 79 API calls 46092->46095 46324 412584 RegOpenKeyExW 46094->46324 46097 40e067 46095->46097 46099 401eea 26 API calls 46097->46099 46099->46081 46102 401e13 26 API calls 46105 40e0c5 46102->46105 46103 40e0ed DeleteFileW 46104 40e0f4 46103->46104 46103->46105 46106 41ae08 28 API calls 46104->46106 46105->46103 46105->46104 46107 40e0db Sleep 46105->46107 46108 40e104 46106->46108 46518 401e07 46107->46518 46329 41297a RegOpenKeyExW 46108->46329 46111 40e117 46112 401e13 26 API calls 46111->46112 46113 40e121 46112->46113 46114 401e13 26 API calls 46113->46114 46114->46089 46115->45801 46116->45808 46117->45805 46118->45815 46119->45817 46120->45820 46121->45795 46122->45798 46123->45802 46124->45824 46125->45826 46126->45828 46127->45831 46129 433c71 GetStartupInfoW 46128->46129 46129->45835 46131 44dddb 46130->46131 46132 44ddd2 46130->46132 46131->45839 46135 44dcc8 51 API calls 4 library calls 46132->46135 46134->45839 46135->46131 46137 41bd22 LoadLibraryA GetProcAddress 46136->46137 46138 41bd12 GetModuleHandleA GetProcAddress 46136->46138 46139 41bd4b 32 API calls 46137->46139 46140 41bd3b LoadLibraryA GetProcAddress 46137->46140 46138->46137 46139->45843 46140->46139 46522 41a63f FindResourceA 46141->46522 46144 43a88c ___crtLCMapStringA 21 API calls 46145 40e192 ctype 46144->46145 46146 401f86 28 API calls 46145->46146 46147 40e1ad 46146->46147 46148 401eef 26 API calls 46147->46148 46149 40e1b8 46148->46149 46150 401eea 26 API calls 46149->46150 46151 40e1c1 46150->46151 46152 43a88c ___crtLCMapStringA 21 API calls 46151->46152 46153 40e1d2 ctype 46152->46153 46525 406052 46153->46525 46155 40e205 46155->45845 46166 41afd6 46156->46166 46157 401eea 26 API calls 46158 41b078 46157->46158 46159 401eea 26 API calls 46158->46159 46161 41b080 46159->46161 46160 41b048 46162 403b60 28 API calls 46160->46162 46164 401eea 26 API calls 46161->46164 46165 41b054 46162->46165 46167 40d7c6 46164->46167 46168 401eef 26 API calls 46165->46168 46166->46160 46169 401eef 26 API calls 46166->46169 46172 401eea 26 API calls 46166->46172 46176 41b046 46166->46176 46528 403b60 46166->46528 46531 41bfa9 28 API calls 46166->46531 46177 40e8bd 46167->46177 46170 41b05d 46168->46170 46169->46166 46171 401eea 26 API calls 46170->46171 46173 41b065 46171->46173 46172->46166 46532 41bfa9 28 API calls 46173->46532 46176->46157 46178 40e8ca 46177->46178 46180 40e8da 46178->46180 46549 40200a 26 API calls 46178->46549 46180->45853 46182 401d6c 46181->46182 46183 401d74 46182->46183 46550 401fff 28 API calls 46182->46550 46183->45860 46187 404ccb 46186->46187 46551 402e78 46187->46551 46189 404cee 46189->45867 46560 404bc4 46190->46560 46192 405cf4 46192->45870 46194 401efe 46193->46194 46196 401f0a 46194->46196 46569 4021b9 26 API calls 46194->46569 46196->45874 46199 401ec9 46197->46199 46198 401ee4 46198->45884 46199->46198 46200 402325 28 API calls 46199->46200 46200->46198 46570 401e8f 46201->46570 46203 40bee1 CreateMutexA GetLastError 46203->45900 46572 41b15b 46204->46572 46206 41a471 46576 412513 RegOpenKeyExA 46206->46576 46209 401eef 26 API calls 46210 41a49f 46209->46210 46211 401eea 26 API calls 46210->46211 46212 41a4a7 46211->46212 46213 41a4fa 46212->46213 46214 412513 31 API calls 46212->46214 46213->45906 46215 41a4cd 46214->46215 46216 41a4d8 StrToIntA 46215->46216 46217 41a4ef 46216->46217 46218 41a4e6 46216->46218 46220 401eea 26 API calls 46217->46220 46581 41c102 28 API calls 46218->46581 46220->46213 46222 40698f 46221->46222 46223 4124b7 3 API calls 46222->46223 46224 406996 46223->46224 46224->45916 46224->45917 46226 41ae1c 46225->46226 46582 40b027 46226->46582 46228 41ae24 46228->45931 46230 401e27 46229->46230 46232 401e33 46230->46232 46591 402121 26 API calls 46230->46591 46232->45934 46234 402121 46233->46234 46235 402150 46234->46235 46592 402718 26 API calls _Deallocate 46234->46592 46235->45937 46238 4128c0 46237->46238 46239 406052 28 API calls 46238->46239 46240 4128d5 46239->46240 46241 401fbd 28 API calls 46240->46241 46242 4128e5 46241->46242 46243 4126d2 29 API calls 46242->46243 46244 4128ef 46243->46244 46245 401eea 26 API calls 46244->46245 46246 4128fc 46245->46246 46246->45982 46248 401f6e 46247->46248 46593 402301 46248->46593 46252 412722 46251->46252 46254 4126eb 46251->46254 46253 401eea 26 API calls 46252->46253 46255 40dd3b 46253->46255 46256 4126fd RegSetValueExA RegCloseKey 46254->46256 46255->45984 46256->46252 46258 43a600 _swprintf 46257->46258 46597 43993e 46258->46597 46262 41a737 46261->46262 46263 41a69c GetLocalTime 46261->46263 46265 401eea 26 API calls 46262->46265 46264 404cbf 28 API calls 46263->46264 46266 41a6de 46264->46266 46267 41a73f 46265->46267 46268 405ce6 28 API calls 46266->46268 46269 401eea 26 API calls 46267->46269 46270 41a6ea 46268->46270 46271 40ddaa 46269->46271 46631 4027cb 46270->46631 46271->46008 46273 41a6f6 46274 405ce6 28 API calls 46273->46274 46275 41a702 46274->46275 46634 406478 76 API calls 46275->46634 46277 41a710 46278 401eea 26 API calls 46277->46278 46279 41a71c 46278->46279 46280 401eea 26 API calls 46279->46280 46281 41a725 46280->46281 46282 401eea 26 API calls 46281->46282 46283 41a72e 46282->46283 46284 401eea 26 API calls 46283->46284 46284->46262 46286 409536 _wcslen 46285->46286 46287 409541 46286->46287 46288 409558 46286->46288 46289 40c89e 32 API calls 46287->46289 46290 40c89e 32 API calls 46288->46290 46291 409549 46289->46291 46292 409560 46290->46292 46293 401e18 26 API calls 46291->46293 46294 401e18 26 API calls 46292->46294 46296 409553 46293->46296 46295 40956e 46294->46295 46297 401e13 26 API calls 46295->46297 46299 401e13 26 API calls 46296->46299 46298 409576 46297->46298 46654 40856b 28 API calls 46298->46654 46301 4095ad 46299->46301 46639 409837 46301->46639 46302 409588 46655 4028cf 46302->46655 46306 409593 46307 401e18 26 API calls 46306->46307 46308 40959d 46307->46308 46309 401e13 26 API calls 46308->46309 46309->46296 46834 403b40 46310->46834 46314 41a7fd 46315 4028cf 28 API calls 46314->46315 46316 41a807 46315->46316 46317 401e13 26 API calls 46316->46317 46318 41a810 46317->46318 46319 401e13 26 API calls 46318->46319 46320 40dfc3 46319->46320 46320->46061 46322 40e08b 46321->46322 46323 41248f RegQueryValueExA RegCloseKey 46321->46323 46322->46089 46322->46091 46323->46322 46325 4125b0 RegQueryValueExW RegCloseKey 46324->46325 46326 4125dd 46324->46326 46325->46326 46327 403b40 28 API calls 46326->46327 46328 40e0ba 46327->46328 46328->46102 46330 412992 RegDeleteValueW 46329->46330 46331 4129a6 46329->46331 46330->46331 46332 4129a2 46330->46332 46331->46111 46332->46111 46334 40cbc5 46333->46334 46335 41246e 3 API calls 46334->46335 46336 40cbcc 46335->46336 46337 40cbeb 46336->46337 46856 401602 46336->46856 46341 413fd4 46337->46341 46339 40cbd9 46859 4127d5 RegCreateKeyA 46339->46859 46342 413feb 46341->46342 46876 41aa73 46342->46876 46344 413ff6 46345 401d64 28 API calls 46344->46345 46346 41400f 46345->46346 46347 43a5e7 42 API calls 46346->46347 46348 41401c 46347->46348 46349 414021 Sleep 46348->46349 46350 41402e 46348->46350 46349->46350 46351 401f66 28 API calls 46350->46351 46352 41403d 46351->46352 46353 401d64 28 API calls 46352->46353 46354 41404b 46353->46354 46355 401fbd 28 API calls 46354->46355 46356 414053 46355->46356 46357 41afc3 28 API calls 46356->46357 46358 41405b 46357->46358 46880 404262 WSAStartup 46358->46880 46360 414065 46361 401d64 28 API calls 46360->46361 46362 41406e 46361->46362 46363 401d64 28 API calls 46362->46363 46411 4140ed 46362->46411 46364 414087 46363->46364 46365 401d64 28 API calls 46364->46365 46366 414098 46365->46366 46369 401d64 28 API calls 46366->46369 46367 41afc3 28 API calls 46367->46411 46368 401d64 28 API calls 46368->46411 46370 4140a9 46369->46370 46372 401d64 28 API calls 46370->46372 46371 4085b4 28 API calls 46371->46411 46373 4140ba 46372->46373 46374 401d64 28 API calls 46373->46374 46376 4140cb 46374->46376 46375 401eef 26 API calls 46375->46411 46377 401d64 28 API calls 46376->46377 46378 4140dd 46377->46378 47013 404101 87 API calls 46378->47013 46380 401f66 28 API calls 46380->46411 46381 41a686 79 API calls 46381->46411 46383 414244 WSAGetLastError 47014 41bc76 30 API calls 46383->47014 46388 401f66 28 API calls 46394 414259 46388->46394 46391 404cbf 28 API calls 46391->46411 46392 401d8c 26 API calls 46392->46394 46393 401d64 28 API calls 46393->46394 46394->46388 46394->46392 46394->46393 46396 43a5e7 42 API calls 46394->46396 46394->46411 46431 41a686 79 API calls 46394->46431 46432 414b22 CreateThread 46394->46432 46433 401eea 26 API calls 46394->46433 46434 401e13 26 API calls 46394->46434 47015 404c9e 28 API calls 46394->47015 47017 40a767 84 API calls 46394->47017 47018 4047eb 98 API calls 46394->47018 46395 4027cb 28 API calls 46395->46411 46398 414b80 Sleep 46396->46398 46397 405ce6 28 API calls 46397->46411 46398->46394 46399 401eea 26 API calls 46399->46411 46402 4082dc 28 API calls 46402->46411 46403 440c51 26 API calls 46403->46411 46404 401fbd 28 API calls 46404->46411 46405 41265d 3 API calls 46405->46411 46406 412513 31 API calls 46406->46411 46407 403b40 28 API calls 46407->46411 46411->46367 46411->46368 46411->46371 46411->46375 46411->46380 46411->46381 46411->46383 46411->46391 46411->46394 46411->46395 46411->46397 46411->46399 46411->46402 46411->46403 46411->46404 46411->46405 46411->46406 46411->46407 46412 41ad46 28 API calls 46411->46412 46413 401d64 28 API calls 46411->46413 46881 413f9a 46411->46881 46886 4041f1 46411->46886 46893 404915 46411->46893 46908 40428c connect 46411->46908 46968 41a96d 46411->46968 46971 413683 46411->46971 46974 40cbf1 46411->46974 46980 41adee 46411->46980 46983 41aec8 46411->46983 46412->46411 46414 4144ed GetTickCount 46413->46414 46415 41ad46 28 API calls 46414->46415 46427 414507 46415->46427 46417 41ad46 28 API calls 46417->46427 46419 41aec8 28 API calls 46419->46427 46422 405ce6 28 API calls 46422->46427 46423 4027cb 28 API calls 46423->46427 46424 40275c 28 API calls 46424->46427 46426 401eea 26 API calls 46426->46427 46427->46417 46427->46419 46427->46422 46427->46423 46427->46424 46427->46426 46428 401e13 26 API calls 46427->46428 46987 41aca0 GetLastInputInfo GetTickCount 46427->46987 46988 41ac52 46427->46988 46993 40e679 GetLocaleInfoA 46427->46993 46996 4027ec 28 API calls 46427->46996 46997 4045d5 46427->46997 47016 404468 60 API calls ctype 46427->47016 46428->46427 46431->46394 46432->46394 47175 419e89 104 API calls 46432->47175 46433->46394 46434->46394 46435->45861 46436->45871 46439 4085c0 46438->46439 46440 402e78 28 API calls 46439->46440 46441 4085e4 46440->46441 46441->45892 46443 4124e1 RegQueryValueExA RegCloseKey 46442->46443 46444 41250b 46442->46444 46443->46444 46444->45888 46445->45895 46446->45924 46447->45917 46448->45908 46449->45922 46451 40c8ba 46450->46451 46452 40c8da 46451->46452 46453 40c90f 46451->46453 46455 40c8d0 46451->46455 47176 41a74b 29 API calls 46452->47176 46456 41b15b 2 API calls 46453->46456 46454 40ca03 GetLongPathNameW 46459 403b40 28 API calls 46454->46459 46455->46454 46460 40c914 46456->46460 46458 40c8e3 46461 401e18 26 API calls 46458->46461 46462 40ca18 46459->46462 46463 40c918 46460->46463 46464 40c96a 46460->46464 46465 40c8ed 46461->46465 46466 403b40 28 API calls 46462->46466 46468 403b40 28 API calls 46463->46468 46467 403b40 28 API calls 46464->46467 46472 401e13 26 API calls 46465->46472 46469 40ca27 46466->46469 46470 40c978 46467->46470 46471 40c926 46468->46471 47179 40cc37 28 API calls 46469->47179 46477 403b40 28 API calls 46470->46477 46475 403b40 28 API calls 46471->46475 46472->46455 46474 40ca3a 47180 402860 28 API calls 46474->47180 46479 40c93c 46475->46479 46478 40c98e 46477->46478 47178 402860 28 API calls 46478->47178 47177 402860 28 API calls 46479->47177 46480 40ca45 47181 402860 28 API calls 46480->47181 46484 40ca4f 46487 401e13 26 API calls 46484->46487 46485 40c999 46488 401e18 26 API calls 46485->46488 46486 40c947 46489 401e18 26 API calls 46486->46489 46490 40ca59 46487->46490 46491 40c9a4 46488->46491 46492 40c952 46489->46492 46493 401e13 26 API calls 46490->46493 46494 401e13 26 API calls 46491->46494 46495 401e13 26 API calls 46492->46495 46496 40ca62 46493->46496 46497 40c9ad 46494->46497 46498 40c95b 46495->46498 46499 401e13 26 API calls 46496->46499 46500 401e13 26 API calls 46497->46500 46501 401e13 26 API calls 46498->46501 46502 40ca6b 46499->46502 46500->46465 46501->46465 46503 401e13 26 API calls 46502->46503 46504 40ca74 46503->46504 46505 401e13 26 API calls 46504->46505 46506 40ca7d 46505->46506 46506->45970 46507->45983 46508->46004 46510 412683 RegQueryValueExA RegCloseKey 46509->46510 46511 4126a7 46509->46511 46510->46511 46511->45963 46512->45998 46513->46033 46514->46043 46515->46066 46516->46054 46517->46088 46519 401e0c 46518->46519 46520->45915 46523 40e183 46522->46523 46524 41a65c LoadResource LockResource SizeofResource 46522->46524 46523->46144 46524->46523 46526 401f86 28 API calls 46525->46526 46527 406066 46526->46527 46527->46155 46533 403c30 46528->46533 46531->46166 46532->46176 46534 403c39 46533->46534 46537 403c59 46534->46537 46538 403c68 46537->46538 46543 4032a4 46538->46543 46540 403c74 46541 402325 28 API calls 46540->46541 46542 403b73 46541->46542 46542->46166 46544 4032b0 46543->46544 46545 4032ad 46543->46545 46548 4032b6 28 API calls 46544->46548 46545->46540 46549->46180 46553 402e85 46551->46553 46552 402ea9 46552->46189 46553->46552 46554 402e98 46553->46554 46556 402eae 46553->46556 46558 403445 28 API calls 46554->46558 46556->46552 46559 40225b 26 API calls 46556->46559 46558->46552 46559->46552 46561 404bd0 46560->46561 46564 40245c 46561->46564 46563 404be4 46563->46192 46565 402469 46564->46565 46567 402478 46565->46567 46568 402ad3 28 API calls 46565->46568 46567->46563 46568->46567 46569->46196 46571 401e94 46570->46571 46573 41b183 46572->46573 46574 41b168 GetCurrentProcess IsWow64Process 46572->46574 46573->46206 46574->46573 46575 41b17f 46574->46575 46575->46206 46577 412541 RegQueryValueExA RegCloseKey 46576->46577 46578 412569 46576->46578 46577->46578 46579 401f66 28 API calls 46578->46579 46580 41257e 46579->46580 46580->46209 46581->46217 46583 40b02f 46582->46583 46586 40b04b 46583->46586 46585 40b045 46585->46228 46587 40b055 46586->46587 46589 40b060 46587->46589 46590 40b138 28 API calls 46587->46590 46589->46585 46590->46589 46591->46232 46592->46235 46594 40230d 46593->46594 46595 402325 28 API calls 46594->46595 46596 401f80 46595->46596 46596->45976 46615 43a545 46597->46615 46599 43998b 46624 4392de 38 API calls 2 library calls 46599->46624 46601 439950 46601->46599 46602 439965 46601->46602 46614 40dd54 46601->46614 46622 445354 20 API calls _free 46602->46622 46604 43996a 46623 43a827 26 API calls _Deallocate 46604->46623 46607 439997 46608 4399c6 46607->46608 46625 43a58a 42 API calls __Tolower 46607->46625 46611 439a32 46608->46611 46626 43a4f1 26 API calls 2 library calls 46608->46626 46627 43a4f1 26 API calls 2 library calls 46611->46627 46612 439af9 _swprintf 46612->46614 46628 445354 20 API calls _free 46612->46628 46614->45990 46614->45992 46616 43a54a 46615->46616 46617 43a55d 46615->46617 46629 445354 20 API calls _free 46616->46629 46617->46601 46619 43a54f 46630 43a827 26 API calls _Deallocate 46619->46630 46621 43a55a 46621->46601 46622->46604 46623->46614 46624->46607 46625->46607 46626->46611 46627->46612 46628->46614 46629->46619 46630->46621 46635 401e9b 46631->46635 46633 4027d9 46633->46273 46634->46277 46636 401ea7 46635->46636 46637 40245c 28 API calls 46636->46637 46638 401eb9 46637->46638 46638->46633 46640 409855 46639->46640 46641 4124b7 3 API calls 46640->46641 46642 40985c 46641->46642 46643 409870 46642->46643 46644 40988a 46642->46644 46646 4095cf 46643->46646 46647 409875 46643->46647 46658 4082dc 46644->46658 46646->46027 46649 4082dc 28 API calls 46647->46649 46650 409883 46649->46650 46684 409959 29 API calls 46650->46684 46653 409888 46653->46646 46654->46302 46825 402d8b 46655->46825 46657 4028dd 46657->46306 46659 4082eb 46658->46659 46685 408431 46659->46685 46661 408309 46662 4098a5 46661->46662 46690 40affa 46662->46690 46665 4098f6 46667 401f66 28 API calls 46665->46667 46666 4098ce 46668 401f66 28 API calls 46666->46668 46669 409901 46667->46669 46670 4098d8 46668->46670 46671 401f66 28 API calls 46669->46671 46672 41ae08 28 API calls 46670->46672 46673 409910 46671->46673 46674 4098e6 46672->46674 46675 41a686 79 API calls 46673->46675 46694 40a876 31 API calls ___crtLCMapStringA 46674->46694 46677 409915 CreateThread 46675->46677 46679 409930 CreateThread 46677->46679 46680 40993c CreateThread 46677->46680 46706 4099a9 46677->46706 46678 4098ed 46681 401eea 26 API calls 46678->46681 46679->46680 46703 409993 46679->46703 46682 401e13 26 API calls 46680->46682 46700 4099b5 46680->46700 46681->46665 46683 409950 46682->46683 46683->46646 46684->46653 46824 40999f 136 API calls 46684->46824 46687 40843d 46685->46687 46686 40845b 46686->46661 46687->46686 46689 402f0d 28 API calls 46687->46689 46689->46686 46692 40b006 46690->46692 46691 4098c3 46691->46665 46691->46666 46692->46691 46695 403b9e 46692->46695 46694->46678 46696 403ba8 46695->46696 46698 403bb3 46696->46698 46699 403cfd 28 API calls 46696->46699 46698->46691 46699->46698 46709 40a3f4 46700->46709 46758 4099e4 46703->46758 46779 409e48 46706->46779 46734 40a402 46709->46734 46710 4099be 46711 40a45c Sleep GetForegroundWindow GetWindowTextLengthW 46712 40b027 28 API calls 46711->46712 46712->46734 46716 41aca0 GetLastInputInfo GetTickCount 46716->46734 46717 40a4a2 GetWindowTextW 46717->46734 46719 401e13 26 API calls 46719->46734 46720 40affa 28 API calls 46720->46734 46721 40a5ff 46722 401e13 26 API calls 46721->46722 46722->46710 46723 40a569 Sleep 46723->46734 46726 401f66 28 API calls 46726->46734 46728 4082dc 28 API calls 46733 40a4f1 46728->46733 46730 405ce6 28 API calls 46730->46734 46732 4028cf 28 API calls 46732->46734 46733->46728 46733->46734 46742 40a876 31 API calls ___crtLCMapStringA 46733->46742 46734->46710 46734->46711 46734->46716 46734->46717 46734->46719 46734->46720 46734->46721 46734->46723 46734->46726 46734->46730 46734->46732 46734->46733 46735 409d58 27 API calls 46734->46735 46736 41ae08 28 API calls 46734->46736 46737 401eea 26 API calls 46734->46737 46738 433519 5 API calls __Init_thread_wait 46734->46738 46739 4338a5 29 API calls __onexit 46734->46739 46740 4334cf EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 46734->46740 46741 4082a8 28 API calls 46734->46741 46743 40b0dd 28 API calls 46734->46743 46744 40ae58 44 API calls 2 library calls 46734->46744 46745 440c51 46734->46745 46749 404c9e 28 API calls 46734->46749 46735->46734 46736->46734 46737->46734 46738->46734 46739->46734 46740->46734 46741->46734 46742->46733 46743->46734 46744->46734 46746 440c5d 46745->46746 46750 440a4d 46746->46750 46749->46734 46751 440a64 46750->46751 46755 440aa5 46751->46755 46756 445354 20 API calls _free 46751->46756 46753 440a9b 46757 43a827 26 API calls _Deallocate 46753->46757 46755->46734 46756->46753 46757->46755 46759 409a63 GetMessageA 46758->46759 46760 4099ff GetModuleHandleA SetWindowsHookExA 46758->46760 46761 409a75 TranslateMessage DispatchMessageA 46759->46761 46763 40999c 46759->46763 46760->46759 46762 409a1b GetLastError 46760->46762 46761->46759 46761->46763 46773 41ad46 46762->46773 46767 409a3e 46768 401f66 28 API calls 46767->46768 46769 409a4d 46768->46769 46770 41a686 79 API calls 46769->46770 46771 409a52 46770->46771 46772 401eea 26 API calls 46771->46772 46772->46763 46774 440c51 26 API calls 46773->46774 46775 41ad67 46774->46775 46776 401f66 28 API calls 46775->46776 46777 409a31 46776->46777 46778 404c9e 28 API calls 46777->46778 46778->46767 46780 409e5d Sleep 46779->46780 46799 409d97 46780->46799 46782 4099b2 46783 409e9d CreateDirectoryW 46787 409e6f 46783->46787 46784 409eae GetFileAttributesW 46784->46787 46785 409ec5 SetFileAttributesW 46785->46787 46787->46780 46787->46782 46787->46783 46787->46784 46787->46785 46789 401d64 28 API calls 46787->46789 46797 409f10 46787->46797 46812 41b58f 46787->46812 46788 409f3f PathFileExistsW 46788->46797 46789->46787 46790 401f86 28 API calls 46790->46797 46792 40a048 SetFileAttributesW 46792->46787 46793 406052 28 API calls 46793->46797 46794 401eef 26 API calls 46794->46797 46795 401eea 26 API calls 46795->46797 46797->46788 46797->46790 46797->46792 46797->46793 46797->46794 46797->46795 46798 401eea 26 API calls 46797->46798 46821 41b61a 32 API calls 46797->46821 46822 41b687 CreateFileW SetFilePointer WriteFile CloseHandle 46797->46822 46798->46787 46800 409e44 46799->46800 46804 409dad 46799->46804 46800->46787 46801 409dcc CreateFileW 46802 409dda GetFileSize 46801->46802 46801->46804 46803 409e0f CloseHandle 46802->46803 46802->46804 46803->46804 46804->46801 46804->46803 46805 409e21 46804->46805 46806 409e04 Sleep 46804->46806 46807 409dfd 46804->46807 46805->46800 46809 4082dc 28 API calls 46805->46809 46806->46803 46823 40a7f0 83 API calls 46807->46823 46810 409e3d 46809->46810 46811 4098a5 127 API calls 46810->46811 46811->46800 46813 41b5a2 CreateFileW 46812->46813 46815 41b5db 46813->46815 46816 41b5df 46813->46816 46815->46787 46817 41b5f6 WriteFile 46816->46817 46818 41b5e6 SetFilePointer 46816->46818 46819 41b60b CloseHandle 46817->46819 46820 41b609 46817->46820 46818->46817 46818->46819 46819->46815 46820->46819 46821->46797 46822->46797 46823->46806 46826 402d97 46825->46826 46829 4030f7 46826->46829 46828 402dab 46828->46657 46830 403101 46829->46830 46832 403115 46830->46832 46833 4036c2 28 API calls 46830->46833 46832->46828 46833->46832 46835 403b48 46834->46835 46841 403b7a 46835->46841 46838 403cbb 46845 403dc2 46838->46845 46840 403cc9 46840->46314 46842 403b86 46841->46842 46843 403b9e 28 API calls 46842->46843 46844 403b5a 46843->46844 46844->46838 46846 403dce 46845->46846 46849 402ffd 46846->46849 46848 403de3 46848->46840 46850 40300e 46849->46850 46851 4032a4 28 API calls 46850->46851 46852 40301a 46851->46852 46854 40302e 46852->46854 46855 4035e8 28 API calls 46852->46855 46854->46848 46855->46854 46862 4395ba 46856->46862 46860 412814 46859->46860 46861 4127ed RegSetValueExA RegCloseKey 46859->46861 46860->46337 46861->46860 46865 43953b 46862->46865 46864 401608 46864->46339 46866 43954a 46865->46866 46867 43955e 46865->46867 46873 445354 20 API calls _free 46866->46873 46872 43955a __alldvrm 46867->46872 46875 447601 11 API calls 2 library calls 46867->46875 46869 43954f 46874 43a827 26 API calls _Deallocate 46869->46874 46872->46864 46873->46869 46874->46872 46875->46872 46879 41aab9 ctype ___scrt_fastfail 46876->46879 46877 401f66 28 API calls 46878 41ab2e 46877->46878 46878->46344 46879->46877 46880->46360 46882 413fb3 getaddrinfo WSASetLastError 46881->46882 46883 413fa9 46881->46883 46882->46411 47019 413e37 35 API calls ___std_exception_copy 46883->47019 46885 413fae 46885->46882 46887 404206 socket 46886->46887 46888 4041fd 46886->46888 46890 404220 46887->46890 46891 404224 CreateEventW 46887->46891 47020 404262 WSAStartup 46888->47020 46890->46411 46891->46411 46892 404202 46892->46887 46892->46890 46894 4049b1 46893->46894 46895 40492a 46893->46895 46894->46411 46896 404933 46895->46896 46897 404987 CreateEventA CreateThread 46895->46897 46898 404942 GetLocalTime 46895->46898 46896->46897 46897->46894 47022 404b1d 46897->47022 46899 41ad46 28 API calls 46898->46899 46900 40495b 46899->46900 47021 404c9e 28 API calls 46900->47021 46902 404968 46903 401f66 28 API calls 46902->46903 46904 404977 46903->46904 46905 41a686 79 API calls 46904->46905 46906 40497c 46905->46906 46907 401eea 26 API calls 46906->46907 46907->46897 46909 4043e1 46908->46909 46910 4042b3 46908->46910 46911 4043e7 WSAGetLastError 46909->46911 46961 404343 46909->46961 46912 4042e8 46910->46912 46915 404cbf 28 API calls 46910->46915 46910->46961 46913 4043f7 46911->46913 46911->46961 47026 420151 27 API calls 46912->47026 46916 4042f7 46913->46916 46917 4043fc 46913->46917 46920 4042d4 46915->46920 46923 401f66 28 API calls 46916->46923 47031 41bc76 30 API calls 46917->47031 46919 4042f0 46919->46916 46922 404306 46919->46922 46924 401f66 28 API calls 46920->46924 46921 40440b 47032 404c9e 28 API calls 46921->47032 46932 404315 46922->46932 46933 40434c 46922->46933 46927 404448 46923->46927 46925 4042e3 46924->46925 46928 41a686 79 API calls 46925->46928 46930 401f66 28 API calls 46927->46930 46928->46912 46929 404418 46931 401f66 28 API calls 46929->46931 46934 404457 46930->46934 46936 404427 46931->46936 46938 401f66 28 API calls 46932->46938 47028 420f34 56 API calls 46933->47028 46935 41a686 79 API calls 46934->46935 46935->46961 46939 41a686 79 API calls 46936->46939 46941 404324 46938->46941 46942 40442c 46939->46942 46940 404354 46943 404389 46940->46943 46944 404359 46940->46944 46945 401f66 28 API calls 46941->46945 46947 401eea 26 API calls 46942->46947 47030 4202ea 28 API calls 46943->47030 46948 401f66 28 API calls 46944->46948 46949 404333 46945->46949 46947->46961 46951 404368 46948->46951 46952 41a686 79 API calls 46949->46952 46950 404391 46953 4043be CreateEventW CreateEventW 46950->46953 46956 401f66 28 API calls 46950->46956 46954 401f66 28 API calls 46951->46954 46955 404338 46952->46955 46953->46961 46957 404377 46954->46957 47027 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 46955->47027 46959 4043a7 46956->46959 46960 41a686 79 API calls 46957->46960 46962 401f66 28 API calls 46959->46962 46963 40437c 46960->46963 46961->46411 46964 4043b6 46962->46964 47029 420592 54 API calls 46963->47029 46966 41a686 79 API calls 46964->46966 46967 4043bb 46966->46967 46967->46953 47033 41a945 GlobalMemoryStatusEx 46968->47033 46970 41a982 46970->46411 47034 413646 46971->47034 46975 40cc0d 46974->46975 46976 41246e 3 API calls 46975->46976 46978 40cc14 46976->46978 46977 40cc2c 46977->46411 46978->46977 46979 4124b7 3 API calls 46978->46979 46979->46977 46981 401f86 28 API calls 46980->46981 46982 41ae03 46981->46982 46982->46411 46984 41aed5 46983->46984 46985 401f86 28 API calls 46984->46985 46986 41aee7 46985->46986 46986->46411 46987->46427 46989 436050 ___scrt_fastfail 46988->46989 46990 41ac71 GetForegroundWindow GetWindowTextW 46989->46990 46991 403b40 28 API calls 46990->46991 46992 41ac9b 46991->46992 46992->46427 46994 401f66 28 API calls 46993->46994 46995 40e69e 46994->46995 46995->46427 46996->46427 46999 4045ec 46997->46999 46998 43a88c ___crtLCMapStringA 21 API calls 46998->46999 46999->46998 47001 40465b 46999->47001 47002 401f86 28 API calls 46999->47002 47004 401eef 26 API calls 46999->47004 47007 401eea 26 API calls 46999->47007 47075 404688 46999->47075 47086 40455b 59 API calls 46999->47086 47001->46999 47003 404666 47001->47003 47002->46999 47087 4047eb 98 API calls 47003->47087 47004->46999 47006 40466d 47008 401eea 26 API calls 47006->47008 47007->46999 47009 404676 47008->47009 47010 401eea 26 API calls 47009->47010 47011 40467f 47010->47011 47011->46394 47013->46411 47014->46394 47015->46394 47016->46427 47017->46394 47018->46394 47019->46885 47020->46892 47021->46902 47025 404b29 101 API calls 47022->47025 47024 404b26 47025->47024 47026->46919 47027->46961 47028->46940 47029->46955 47030->46950 47031->46921 47032->46929 47033->46970 47037 413619 47034->47037 47038 41362e ___scrt_initialize_default_local_stdio_options 47037->47038 47041 43e2dd 47038->47041 47044 43b030 47041->47044 47045 43b070 47044->47045 47046 43b058 47044->47046 47045->47046 47048 43b078 47045->47048 47068 445354 20 API calls _free 47046->47068 47070 4392de 38 API calls 2 library calls 47048->47070 47050 43b05d 47069 43a827 26 API calls _Deallocate 47050->47069 47051 43b088 47071 43b7b6 20 API calls 2 library calls 47051->47071 47053 43b068 47061 433d2c 47053->47061 47056 43b100 47072 43be24 50 API calls 3 library calls 47056->47072 47057 41363c 47057->46411 47060 43b10b 47073 43b820 20 API calls _free 47060->47073 47062 433d37 IsProcessorFeaturePresent 47061->47062 47063 433d35 47061->47063 47065 4341a4 47062->47065 47063->47057 47074 434168 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47065->47074 47067 434287 47067->47057 47068->47050 47069->47053 47070->47051 47071->47056 47072->47060 47073->47053 47074->47067 47076 4046a3 47075->47076 47077 4047d8 47076->47077 47080 401eef 26 API calls 47076->47080 47081 401eea 26 API calls 47076->47081 47082 401fbd 28 API calls 47076->47082 47083 401ebd 28 API calls 47076->47083 47085 403b60 28 API calls 47076->47085 47078 401eea 26 API calls 47077->47078 47079 4047e1 47078->47079 47079->47001 47080->47076 47081->47076 47082->47076 47084 404772 CreateEventA CreateThread WaitForSingleObject CloseHandle 47083->47084 47084->47076 47088 414b9b 47084->47088 47085->47076 47086->46999 47087->47006 47089 401fbd 28 API calls 47088->47089 47090 414bbd SetEvent 47089->47090 47091 414bd2 47090->47091 47092 403b60 28 API calls 47091->47092 47093 414bec 47092->47093 47094 401fbd 28 API calls 47093->47094 47095 414bfc 47094->47095 47096 401fbd 28 API calls 47095->47096 47097 414c0e 47096->47097 47098 41afc3 28 API calls 47097->47098 47099 414c17 47098->47099 47100 4161f2 47099->47100 47101 414de3 47099->47101 47102 414c37 GetTickCount 47099->47102 47103 401d8c 26 API calls 47100->47103 47101->47100 47164 414d99 47101->47164 47104 41ad46 28 API calls 47102->47104 47105 4161fb 47103->47105 47106 414c4d 47104->47106 47108 401eea 26 API calls 47105->47108 47167 41aca0 GetLastInputInfo GetTickCount 47106->47167 47110 416207 47108->47110 47111 401eea 26 API calls 47110->47111 47113 416213 47111->47113 47112 414c54 47114 41ad46 28 API calls 47112->47114 47115 414c5f 47114->47115 47116 41ac52 30 API calls 47115->47116 47117 414c6d 47116->47117 47118 41aec8 28 API calls 47117->47118 47119 414c7b 47118->47119 47120 401d64 28 API calls 47119->47120 47121 414c89 47120->47121 47168 4027ec 28 API calls 47121->47168 47123 414c97 47169 40275c 28 API calls 47123->47169 47125 414ca6 47126 4027cb 28 API calls 47125->47126 47127 414cb5 47126->47127 47170 40275c 28 API calls 47127->47170 47129 414cc4 47130 4027cb 28 API calls 47129->47130 47131 414cd0 47130->47131 47171 40275c 28 API calls 47131->47171 47133 414cda 47172 404468 60 API calls ctype 47133->47172 47135 414ce9 47136 401eea 26 API calls 47135->47136 47137 414cf2 47136->47137 47138 401eea 26 API calls 47137->47138 47139 414cfe 47138->47139 47140 401eea 26 API calls 47139->47140 47141 414d0a 47140->47141 47142 401eea 26 API calls 47141->47142 47143 414d16 47142->47143 47144 401eea 26 API calls 47143->47144 47145 414d22 47144->47145 47146 401eea 26 API calls 47145->47146 47147 414d2e 47146->47147 47148 401e13 26 API calls 47147->47148 47149 414d3a 47148->47149 47150 401eea 26 API calls 47149->47150 47151 414d43 47150->47151 47152 401eea 26 API calls 47151->47152 47153 414d4c 47152->47153 47154 401d64 28 API calls 47153->47154 47155 414d57 47154->47155 47156 43a5e7 42 API calls 47155->47156 47157 414d64 47156->47157 47158 414d69 47157->47158 47159 414d8f 47157->47159 47161 414d82 47158->47161 47162 414d77 47158->47162 47160 401d64 28 API calls 47159->47160 47160->47164 47163 404915 104 API calls 47161->47163 47173 4049ba 81 API calls 47162->47173 47166 414d7d 47163->47166 47164->47100 47174 404ab1 83 API calls 47164->47174 47166->47100 47167->47112 47168->47123 47169->47125 47170->47129 47171->47133 47172->47135 47173->47166 47174->47166 47176->46458 47177->46486 47178->46485 47179->46474 47180->46480 47181->46484 47183 40e56a 47182->47183 47184 4124b7 3 API calls 47183->47184 47185 40e60e 47183->47185 47187 40e5fe Sleep 47183->47187 47204 40e59c 47183->47204 47184->47183 47188 4082dc 28 API calls 47185->47188 47186 4082dc 28 API calls 47186->47204 47187->47183 47191 40e619 47188->47191 47190 41ae08 28 API calls 47190->47204 47192 41ae08 28 API calls 47191->47192 47193 40e625 47192->47193 47217 412774 29 API calls 47193->47217 47196 401e13 26 API calls 47196->47204 47197 40e638 47198 401e13 26 API calls 47197->47198 47200 40e644 47198->47200 47199 401f66 28 API calls 47199->47204 47201 401f66 28 API calls 47200->47201 47202 40e655 47201->47202 47205 4126d2 29 API calls 47202->47205 47203 4126d2 29 API calls 47203->47204 47204->47186 47204->47187 47204->47190 47204->47196 47204->47199 47204->47203 47215 40bf04 73 API calls ___scrt_fastfail 47204->47215 47216 412774 29 API calls 47204->47216 47206 40e668 47205->47206 47218 411699 TerminateProcess WaitForSingleObject 47206->47218 47208 40e670 ExitProcess 47219 411637 61 API calls 47211->47219 47216->47204 47217->47197 47218->47208

                                                            Executed Functions

                                                            Function 0041BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                            • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                            • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                            • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                            • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                            • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                            • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                            • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                            • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                            • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                            • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                            • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                            • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                            • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE09
                                                            • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                            • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
                                                            • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                            • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE53
                                                            • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$HandleLibraryLoadModule
                                                            • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                            • API String ID: 384173800-625181639
                                                            • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                            • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                                                            • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                            • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE
                                                            Function 0040D767 Relevance: 88.3, APIs: 13, Strings: 37, Instructions: 799COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 100 40e134-40e154 call 401e8f call 412902 call 4112b5 70->100 88 40d9b5-40d9bc 79->88 89 40d9ae-40d9b0 79->89 80->79 99 40d98e-40d9a4 call 401e8f call 412902 80->99 94 40d9c0-40d9cc call 41a463 88->94 95 40d9be 88->95 93 40dc95 89->93 93->49 104 40d9d5-40d9d9 94->104 105 40d9ce-40d9d0 94->105 95->94 99->79 108 40da18-40da2b call 401d64 call 401e8f 104->108 109 40d9db call 40697b 104->109 105->104 127 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 108->127 128 40da2d call 4069ba 108->128 117 40d9e0-40d9e2 109->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->108 138 40da03-40da09 121->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 127->164 128->127 138->108 140 40da0b-40da11 138->140 140->108 142 40da13 call 4064d0 140->142 142->108 166 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->166 167 40db2c-40db33 163->167 164->163 190 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->190 220 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 166->220 169 40dbb1-40dbbb call 4082d7 167->169 170 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 167->170 176 40dbc0-40dbe4 call 4022f8 call 4338c8 169->176 170->176 197 40dbf3 176->197 198 40dbe6-40dbf1 call 436050 176->198 190->163 203 40dbf5-40dc40 call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 197->203 198->203 258 40dc45-40dc6a call 4338d1 call 401d64 call 40b125 203->258 272 40dd79-40dd7b 220->272 273 40dd5e 220->273 258->220 274 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 258->274 276 40dd81 272->276 277 40dd7d-40dd7f 272->277 275 40dd60-40dd77 call 41beb0 CreateThread 273->275 274->220 292 40dc93 274->292 281 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->281 276->281 277->275 330 40dea1 281->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 281->331 292->93 332 40dea3-40debb call 401d64 call 401e8f 330->332 331->332 343 40def9-40df0c call 401d64 call 401e8f 332->343 344 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 332->344 353 40df6c-40df7f call 401d64 call 401e8f 343->353 354 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 343->354 344->343 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 353->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 353->366 354->353 365->366 386 40dfe0-40dfe1 SetProcessDEPPolicy 366->386 387 40dfe3-40dff6 CreateThread 366->387 386->387 391 40e004-40e00b 387->391 392 40dff8-40e002 CreateThread 387->392 396 40e019-40e020 391->396 397 40e00d-40e017 CreateThread 391->397 392->391 398 40e022-40e025 396->398 399 40e033-40e038 396->399 397->396 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 399->404 413 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->413 414 40e12a-40e12f call 40cbac call 413fd4 401->414 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 413->433 414->100 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 437 40e0db-40e0e8 Sleep call 401e07 435->437 437->433
                                                            APIs
                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                                              • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                                              • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                              • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                                            • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe,00000104), ref: 0040D790
                                                              • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                            • String ID: (CG$(CG$0DG$Access Level: $Administrator$C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe$Exe$Exe$HM{$Inj$P{$Remcos Agent initialized$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt
                                                            • API String ID: 2830904901-1582729990
                                                            • Opcode ID: d985282723b292a847697baca67a20060ee7dcf01e51df26af1e6cb45a7ba986
                                                            • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                                                            • Opcode Fuzzy Hash: d985282723b292a847697baca67a20060ee7dcf01e51df26af1e6cb45a7ba986
                                                            • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                                            Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1259 4099e4-4099fd 1260 409a63-409a73 GetMessageA 1259->1260 1261 4099ff-409a19 GetModuleHandleA SetWindowsHookExA 1259->1261 1262 409a75-409a8d TranslateMessage DispatchMessageA 1260->1262 1263 409a8f 1260->1263 1261->1260 1264 409a1b-409a61 GetLastError call 41ad46 call 404c9e call 401f66 call 41a686 call 401eea 1261->1264 1262->1260 1262->1263 1265 409a91-409a96 1263->1265 1264->1265
                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                            • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                            • GetLastError.KERNEL32 ref: 00409A1B
                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                            • TranslateMessage.USER32(?), ref: 00409A7A
                                                            • DispatchMessageA.USER32(?), ref: 00409A85
                                                            Strings
                                                            • Keylogger initialization failure: error , xrefs: 00409A32
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                            • String ID: Keylogger initialization failure: error
                                                            • API String ID: 3219506041-952744263
                                                            • Opcode ID: b25c238cc25c38f6a39b157eec7e909f885e780430bb9e72e24c2f6a8841eb99
                                                            • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                                                            • Opcode Fuzzy Hash: b25c238cc25c38f6a39b157eec7e909f885e780430bb9e72e24c2f6a8841eb99
                                                            • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB
                                                            Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                              • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                              • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                            • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                            • ExitProcess.KERNEL32 ref: 0040E672
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseExitOpenProcessQuerySleepValue
                                                            • String ID: 5.3.0 Pro$HM{$override$pth_unenc
                                                            • API String ID: 2281282204-729061816
                                                            • Opcode ID: f180ab47f223277a7e4a5a7b30372dd52af8f2688aadcd4541f101f1d00d282c
                                                            • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                                            • Opcode Fuzzy Hash: f180ab47f223277a7e4a5a7b30372dd52af8f2688aadcd4541f101f1d00d282c
                                                            • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF
                                                            Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1419 404915-404924 1420 4049b1 1419->1420 1421 40492a-404931 1419->1421 1422 4049b3-4049b7 1420->1422 1423 404933-404937 1421->1423 1424 404939-404940 1421->1424 1425 404987-4049af CreateEventA CreateThread 1423->1425 1424->1425 1426 404942-404982 GetLocalTime call 41ad46 call 404c9e call 401f66 call 41a686 call 401eea 1424->1426 1425->1422 1426->1425
                                                            APIs
                                                            • GetLocalTime.KERNEL32(00000001,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404946
                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404994
                                                            • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                            Strings
                                                            • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Create$EventLocalThreadTime
                                                            • String ID: KeepAlive | Enabled | Timeout:
                                                            • API String ID: 2532271599-1507639952
                                                            • Opcode ID: 35453c4289c9b9740e7d5fc02d345a9090b78ad88d17a20c74762e0b12e92854
                                                            • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                                                            • Opcode Fuzzy Hash: 35453c4289c9b9740e7d5fc02d345a9090b78ad88d17a20c74762e0b12e92854
                                                            • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                                                            Function 0043293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
                                                            • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
                                                            • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Crypt$Context$AcquireRandomRelease
                                                            • String ID:
                                                            • API String ID: 1815803762-0
                                                            • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                            • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                                                            • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                            • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                                                            Function 0041A7A2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetComputerNameExW.KERNEL32(00000001,?,0000002B,00474358), ref: 0041A7BF
                                                            • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Name$ComputerUser
                                                            • String ID:
                                                            • API String ID: 4229901323-0
                                                            • Opcode ID: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                                            • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                            • Opcode Fuzzy Hash: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                                            • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                            Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: InfoLocale
                                                            • String ID:
                                                            • API String ID: 2299586839-0
                                                            • Opcode ID: 2f0bd58ff2c46692be8fd04023cab22914861fe3b087e1ba55e03f3e1b92ba33
                                                            • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                            • Opcode Fuzzy Hash: 2f0bd58ff2c46692be8fd04023cab22914861fe3b087e1ba55e03f3e1b92ba33
                                                            • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                            Function 004260F7 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: recv
                                                            • String ID:
                                                            • API String ID: 1507349165-0
                                                            • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                            • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                            • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                            • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                                            Function 00413FD4 Relevance: 51.6, APIs: 5, Strings: 24, Instructions: 813sleepnetworkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 447 413fd4-41401f call 401faa call 41aa73 call 401faa call 401d64 call 401e8f call 43a5e7 460 414021-414028 Sleep 447->460 461 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afc3 call 404262 call 401d64 call 40b125 447->461 460->461 476 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afc3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 461->476 477 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 461->477 530 41419a-4141a1 476->530 531 41418c-414198 476->531 477->476 532 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 530->532 531->532 559 414244-41428a WSAGetLastError call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 532->559 560 41428f-41429d call 4041f1 532->560 583 414b54-414b66 call 4047eb call 4020b4 559->583 565 4142ca-4142df call 404915 call 40428c 560->565 566 41429f-4142c5 call 401f66 * 2 call 41a686 560->566 582 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 4 call 41a96d call 413683 call 4082dc call 440c51 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 565->582 565->583 566->583 647 414434-414441 call 40541d 582->647 648 414446-41446d call 401e8f call 412513 582->648 596 414b68-414b88 call 401d64 call 401e8f call 43a5e7 Sleep 583->596 597 414b8e-414b96 call 401d8c 583->597 596->597 597->476 647->648 654 414474-414830 call 403b40 call 40cbf1 call 41adee call 41aec8 call 41ad46 call 401d64 GetTickCount call 41ad46 call 41aca0 call 41ad46 * 2 call 41ac52 call 41aec8 * 5 call 40e679 call 41aec8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c 648->654 655 41446f-414471 648->655 781 414832 call 404468 654->781 655->654 782 414837-414abb call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 781->782 900 414ac0-414ac7 782->900 901 414ac9-414ad0 900->901 902 414adb-414ae2 900->902 901->902 905 414ad2-414ad4 901->905 903 414ae4-414ae9 call 40a767 902->903 904 414aee-414b20 call 405415 call 401f66 * 2 call 41a686 902->904 903->904 916 414b22-414b2e CreateThread 904->916 917 414b34-414b4f call 401eea * 2 call 401e13 904->917 905->902 916->917 917->583
                                                            APIs
                                                            • Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
                                                            • WSAGetLastError.WS2_32 ref: 00414249
                                                            • Sleep.KERNEL32(00000000,00000002), ref: 00414B88
                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Sleep$ErrorLastLocalTime
                                                            • String ID: | $%I64u$5.3.0 Pro$C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$HM{$P{$TLS Off$TLS On $TUF$XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G
                                                            • API String ID: 524882891-1236201116
                                                            • Opcode ID: 7f34964a68ebb1278d86fdf668c67ce0ae309ce2e716e22ab72244e28e7546a4
                                                            • Instruction ID: a0bb0b13232d9f5991351636829aab2dda2428bc81dc0b9639db3628de0ead2f
                                                            • Opcode Fuzzy Hash: 7f34964a68ebb1278d86fdf668c67ce0ae309ce2e716e22ab72244e28e7546a4
                                                            • Instruction Fuzzy Hash: 58524E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D
                                                            Function 00409E48 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 163sleepCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • Sleep.KERNEL32(00001388), ref: 00409E62
                                                              • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                              • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                              • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                              • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                            • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                            • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                              • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                            • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                            • String ID: P{$XCG$XCG$xAG$xAG
                                                            • API String ID: 3795512280-1144004278
                                                            • Opcode ID: 478d1cbae2b352f7a85ddd3b94cb29f0f84926477ce6454f32d463d399d219e0
                                                            • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                                                            • Opcode Fuzzy Hash: 478d1cbae2b352f7a85ddd3b94cb29f0f84926477ce6454f32d463d399d219e0
                                                            • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A
                                                            Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1022 40428c-4042ad connect 1023 4043e1-4043e5 1022->1023 1024 4042b3-4042b6 1022->1024 1027 4043e7-4043f5 WSAGetLastError 1023->1027 1028 40445f 1023->1028 1025 4043da-4043dc 1024->1025 1026 4042bc-4042bf 1024->1026 1029 404461-404465 1025->1029 1030 4042c1-4042e8 call 404cbf call 401f66 call 41a686 1026->1030 1031 4042eb-4042f5 call 420151 1026->1031 1027->1028 1032 4043f7-4043fa 1027->1032 1028->1029 1030->1031 1042 404306-404313 call 420373 1031->1042 1043 4042f7-404301 1031->1043 1035 404439-40443e 1032->1035 1036 4043fc-404437 call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 1032->1036 1039 404443-40445c call 401f66 * 2 call 41a686 1035->1039 1036->1028 1039->1028 1056 404315-404338 call 401f66 * 2 call 41a686 1042->1056 1057 40434c-404357 call 420f34 1042->1057 1043->1039 1083 40433b-404347 call 420191 1056->1083 1068 404389-404396 call 4202ea 1057->1068 1069 404359-404387 call 401f66 * 2 call 41a686 call 420592 1057->1069 1080 404398-4043bb call 401f66 * 2 call 41a686 1068->1080 1081 4043be-4043d7 CreateEventW * 2 1068->1081 1069->1083 1080->1081 1081->1025 1083->1028
                                                            APIs
                                                            • connect.WS2_32(?,?,?), ref: 004042A5
                                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                            • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                            • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                            • API String ID: 994465650-2151626615
                                                            • Opcode ID: da33fcb12fc8fa225914991ff724b524bff1c68ebbc9632bded2e3fb966eaf16
                                                            • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                                            • Opcode Fuzzy Hash: da33fcb12fc8fa225914991ff724b524bff1c68ebbc9632bded2e3fb966eaf16
                                                            • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF
                                                            Function 0040A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • __Init_thread_footer.LIBCMT ref: 0040A456
                                                            • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                            • GetForegroundWindow.USER32 ref: 0040A467
                                                            • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                            • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                            • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                              • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                            • String ID: [${ User has been idle for $ minutes }$]
                                                            • API String ID: 911427763-3954389425
                                                            • Opcode ID: 547a7cfd8ecb315c382de053530a614a00025319d5b4f46ac54375dc0518001e
                                                            • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                                                            • Opcode Fuzzy Hash: 547a7cfd8ecb315c382de053530a614a00025319d5b4f46ac54375dc0518001e
                                                            • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F
                                                            Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1177 40c89e-40c8c3 call 401e52 1180 40c8c9 1177->1180 1181 40c9ed-40ca13 call 401e07 GetLongPathNameW call 403b40 1177->1181 1183 40c8d0-40c8d5 1180->1183 1184 40c9c2-40c9c7 1180->1184 1185 40c905-40c90a 1180->1185 1186 40c9d8 1180->1186 1187 40c9c9-40c9ce call 43ac0f 1180->1187 1188 40c8da-40c8e8 call 41a74b call 401e18 1180->1188 1189 40c8fb-40c900 1180->1189 1190 40c9bb-40c9c0 1180->1190 1191 40c90f-40c916 call 41b15b 1180->1191 1204 40ca18-40ca85 call 403b40 call 40cc37 call 402860 * 2 call 401e13 * 5 1181->1204 1193 40c9dd-40c9e2 call 43ac0f 1183->1193 1184->1193 1185->1193 1186->1193 1201 40c9d3-40c9d6 1187->1201 1208 40c8ed 1188->1208 1189->1193 1190->1193 1205 40c918-40c968 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1191->1205 1206 40c96a-40c9b6 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1191->1206 1207 40c9e3-40c9e8 call 4082d7 1193->1207 1201->1186 1201->1207 1213 40c8f1-40c8f6 call 401e13 1205->1213 1206->1208 1207->1181 1208->1213 1213->1181
                                                            APIs
                                                            • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LongNamePath
                                                            • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                            • API String ID: 82841172-425784914
                                                            • Opcode ID: f411b4bda197469a8f5fa6f0702ce682b0f23decd79daaf3752e96957329e7a7
                                                            • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                                                            • Opcode Fuzzy Hash: f411b4bda197469a8f5fa6f0702ce682b0f23decd79daaf3752e96957329e7a7
                                                            • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F
                                                            Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1323 41a51b-41a55a call 401faa call 43a88c InternetOpenW InternetOpenUrlW 1328 41a55c-41a57d InternetReadFile 1323->1328 1329 41a5a3-41a5a6 1328->1329 1330 41a57f-41a59f call 401f86 call 402f08 call 401eea 1328->1330 1332 41a5a8-41a5aa 1329->1332 1333 41a5ac-41a5b9 InternetCloseHandle * 2 call 43a887 1329->1333 1330->1329 1332->1328 1332->1333 1336 41a5be-41a5c8 1333->1336
                                                            APIs
                                                            • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                                            • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                                            • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                                            • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                                            • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                                            Strings
                                                            • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Internet$CloseHandleOpen$FileRead
                                                            • String ID: http://geoplugin.net/json.gp
                                                            • API String ID: 3121278467-91888290
                                                            • Opcode ID: a574e59ae2a6d8659b3b708bfc28c48046a6cfc8e174729ee45d25f2e2c52857
                                                            • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                                            • Opcode Fuzzy Hash: a574e59ae2a6d8659b3b708bfc28c48046a6cfc8e174729ee45d25f2e2c52857
                                                            • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6
                                                            Function 0041A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                              • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                              • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                              • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                              • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                              • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                            • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                            • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                            • API String ID: 782494840-2070987746
                                                            • Opcode ID: 2b18f229538df81ea9d982a80dc21e3ef646ce9f87e0def4b65cb5a9171dabf9
                                                            • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                                            • Opcode Fuzzy Hash: 2b18f229538df81ea9d982a80dc21e3ef646ce9f87e0def4b65cb5a9171dabf9
                                                            • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE
                                                            Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1365 409d97-409da7 1366 409e44-409e47 1365->1366 1367 409dad-409daf 1365->1367 1368 409db2-409dd8 call 401e07 CreateFileW 1367->1368 1371 409e18 1368->1371 1372 409dda-409de8 GetFileSize 1368->1372 1375 409e1b-409e1f 1371->1375 1373 409dea 1372->1373 1374 409e0f-409e16 CloseHandle 1372->1374 1376 409df4-409dfb 1373->1376 1377 409dec-409df2 1373->1377 1374->1375 1375->1368 1378 409e21-409e24 1375->1378 1380 409e04-409e09 Sleep 1376->1380 1381 409dfd-409dff call 40a7f0 1376->1381 1377->1374 1377->1376 1378->1366 1379 409e26-409e2d 1378->1379 1379->1366 1382 409e2f-409e3f call 4082dc call 4098a5 1379->1382 1380->1374 1381->1380 1382->1366
                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                            • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                            • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$CloseCreateHandleSizeSleep
                                                            • String ID: `AG
                                                            • API String ID: 1958988193-3058481221
                                                            • Opcode ID: b0d5ab9d96485228d01e653f577d9a536d0e325b1c446dee4fcf46d6e6ae2c45
                                                            • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                            • Opcode Fuzzy Hash: b0d5ab9d96485228d01e653f577d9a536d0e325b1c446dee4fcf46d6e6ae2c45
                                                            • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                            Function 004126D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            • Executed
                                                            • Not Executed
                                                            control_flow_graph 1387 4126d2-4126e9 RegCreateKeyA 1388 412722 1387->1388 1389 4126eb-412720 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1387->1389 1391 412724-412730 call 401eea 1388->1391 1389->1391
                                                            APIs
                                                            • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                            • RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                            • RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseCreateValue
                                                            • String ID: HgF$pth_unenc
                                                            • API String ID: 1818849710-3662775637
                                                            • Opcode ID: 1bd7bc63bfcb718f8a00b857ba0206b1347799401e36ec3cc1597cb67c32c774
                                                            • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                            • Opcode Fuzzy Hash: 1bd7bc63bfcb718f8a00b857ba0206b1347799401e36ec3cc1597cb67c32c774
                                                            • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                            Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                            Download Yara Rule

                                                            Control-flow Graph

                                                            APIs
                                                            • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 00409946
                                                              • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                              • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateThread$LocalTimewsprintf
                                                            • String ID: Offline Keylogger Started
                                                            • API String ID: 465354869-4114347211
                                                            • Opcode ID: 12a7e14b742792f2f7edc51aeeb20cb2f460560c35512bbf3bc1a56244271605
                                                            • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                                                            • Opcode Fuzzy Hash: 12a7e14b742792f2f7edc51aeeb20cb2f460560c35512bbf3bc1a56244271605
                                                            • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                                                            Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                            • RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                            • RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseCreateValue
                                                            • String ID: TUF
                                                            • API String ID: 1818849710-3431404234
                                                            • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                            • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                            • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                            • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                            Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                            • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                            • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                            • String ID:
                                                            • API String ID: 3360349984-0
                                                            • Opcode ID: 72b013782cf94b1f3d34b8331976b904c6ebf93714f67b57431e08570f282644
                                                            • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                            • Opcode Fuzzy Hash: 72b013782cf94b1f3d34b8331976b904c6ebf93714f67b57431e08570f282644
                                                            • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                            Function 0041B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                                            • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5EB
                                                            • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B5FF
                                                            • CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B60C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$CloseCreateHandlePointerWrite
                                                            • String ID:
                                                            • API String ID: 3604237281-0
                                                            • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                            • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                                                            • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                            • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                                                            Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CountEventTick
                                                            • String ID: >G
                                                            • API String ID: 180926312-1296849874
                                                            • Opcode ID: b5cb131a7c2f10a7017f8f9fce08a13b2cdf8cae7dc8eae255365ddec9097b64
                                                            • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                                                            • Opcode Fuzzy Hash: b5cb131a7c2f10a7017f8f9fce08a13b2cdf8cae7dc8eae255365ddec9097b64
                                                            • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                                                            Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                            • GetLastError.KERNEL32 ref: 0040BEF1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateErrorLastMutex
                                                            • String ID: (CG
                                                            • API String ID: 1925916568-4210230975
                                                            • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                            • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                            • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                            • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                            Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                            • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                            • RegCloseKey.KERNEL32(?), ref: 0041255F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID:
                                                            • API String ID: 3677997916-0
                                                            • Opcode ID: 1a25bcfb25f4c61a33ed6ceb80866840e5ee7adcdacacd2e2e41860cf5e9bac8
                                                            • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                                            • Opcode Fuzzy Hash: 1a25bcfb25f4c61a33ed6ceb80866840e5ee7adcdacacd2e2e41860cf5e9bac8
                                                            • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                                            Function 0041265D Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                            • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                            • RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID:
                                                            • API String ID: 3677997916-0
                                                            • Opcode ID: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                                            • Instruction ID: c18416eb0b1572374c3e2b3be0649ca89fc6f9e16ed4320a44d925c8ae57db2a
                                                            • Opcode Fuzzy Hash: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                                            • Instruction Fuzzy Hash: BD018131404229FBDF216FA1DC45DDF7F78EF11754F004065BA04A21A1D7758AB5DBA8
                                                            Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                            • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                            • RegCloseKey.KERNEL32(?), ref: 00412500
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID:
                                                            • API String ID: 3677997916-0
                                                            • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                            • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                                            • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                            • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                                            Function 0041246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                                            • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                                            • RegCloseKey.KERNEL32(?,?,?,0040B996,004660E0), ref: 004124A4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseOpenQueryValue
                                                            • String ID:
                                                            • API String ID: 3677997916-0
                                                            • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                            • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                                                            • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                            • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                                                            Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _wcslen
                                                            • String ID: xAG
                                                            • API String ID: 176396367-2759412365
                                                            • Opcode ID: 5b2808d6a420319a8e352f948dca3b51851caf84ac7e067c3f15d365214f07ca
                                                            • Instruction ID: 4b5f0267b16b6d1f94f05398eea60063c36f9fdec9e789d07f1c8464d26cb595
                                                            • Opcode Fuzzy Hash: 5b2808d6a420319a8e352f948dca3b51851caf84ac7e067c3f15d365214f07ca
                                                            • Instruction Fuzzy Hash: 751193325002049FCB15FF66D8968EF7BA4EF64314B10453FF842622E2EF38A955CB98
                                                            Function 0041A945 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041A959
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: GlobalMemoryStatus
                                                            • String ID: @
                                                            • API String ID: 1890195054-2766056989
                                                            • Opcode ID: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                            • Instruction ID: dd145fffdacd7bda74fa2c6e5abe56fe406d4b7e613986be5c07feff288e4f4e
                                                            • Opcode Fuzzy Hash: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                            • Instruction Fuzzy Hash: EFD067B99013189FCB20DFA8E945A8DBBF8FB48214F004529E946E3344E774E945CB95
                                                            Function 0044B9BE Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 0044B9DF
                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                            • RtlReAllocateHeap.NTDLL(00000000,00475D30,?,00000004,00000000,?,0044E90A,00475D30,00000004,?,00475D30,?,?,00443125,00475D30,?), ref: 0044BA1B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateHeap$_free
                                                            • String ID:
                                                            • API String ID: 1482568997-0
                                                            • Opcode ID: 4aeba00e3fff788b378028bf06d7bcfcb791a64fa1e6dc072cb532da7a87caba
                                                            • Instruction ID: 12956794463f81a5c067cbc08b9f94d22fea268b9007f3edb04f63306941b305
                                                            • Opcode Fuzzy Hash: 4aeba00e3fff788b378028bf06d7bcfcb791a64fa1e6dc072cb532da7a87caba
                                                            • Instruction Fuzzy Hash: D6F0F67210051167FF212A27AC01B6B2B2CDFC27B1F15012BFA18AA292DF6CCC0191EE
                                                            Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                              • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                            • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateEventStartupsocket
                                                            • String ID:
                                                            • API String ID: 1953588214-0
                                                            • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                            • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                                                            • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                            • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                                                            Function 0043360D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DE7
                                                              • Part of subcall function 00437BD7: RaiseException.KERNEL32(?,?,00434411,?,?,?,?,?,?,?,?,00434411,?,0046D644,0041AD75,?), ref: 00437C37
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E04
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Exception@8Throw$ExceptionRaise
                                                            • String ID:
                                                            • API String ID: 3476068407-0
                                                            • Opcode ID: a80fbdf5468804761b56489a3a39c56644ed3c61f36a154b7cd34dcf14c41ed8
                                                            • Instruction ID: 1b32a2814776e74a5aaecdac66354fa275a8f3c838098619b8de34dc4906cb01
                                                            • Opcode Fuzzy Hash: a80fbdf5468804761b56489a3a39c56644ed3c61f36a154b7cd34dcf14c41ed8
                                                            • Instruction Fuzzy Hash: 33F02B30C0020D77CB14BEA5E80699D772C4D08319F20923BB920915E1EF7CEB05858D
                                                            Function 0041AC52 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32 ref: 0041AC74
                                                            • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041AC87
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Window$ForegroundText
                                                            • String ID:
                                                            • API String ID: 29597999-0
                                                            • Opcode ID: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                                            • Instruction ID: 3cf16c2a8257e52241c70e3f2477159e0ff99a2dafdd86ddfb3cfc0a4d760bbd
                                                            • Opcode Fuzzy Hash: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                                            • Instruction Fuzzy Hash: 56E04875A0031467EB24A765AC4EFDA766C9704715F0000B9BA19D21C3E9B4EA04CBE4
                                                            Function 00413F9A Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • getaddrinfo.WS2_32(00000000,00000000,00000000,00471B28,00474358,00000000,00414240,00000000,00000001), ref: 00413FBC
                                                            • WSASetLastError.WS2_32(00000000), ref: 00413FC1
                                                              • Part of subcall function 00413E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                              • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                              • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                              • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                              • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                              • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                              • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                              • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                            • String ID:
                                                            • API String ID: 1170566393-0
                                                            • Opcode ID: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                                            • Instruction ID: 9c65b6197a0e8ce5e429e224625e4c370c9a1848c9e97f9a588a6d75e163472b
                                                            • Opcode Fuzzy Hash: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                                            • Instruction Fuzzy Hash: 4ED05B326406216FB310575D6D01FFBB5DCDFA67617150077F408D7110D6945D82C3AD
                                                            Function 00446AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AllocateHeap
                                                            • String ID:
                                                            • API String ID: 1279760036-0
                                                            • Opcode ID: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                                            • Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
                                                            • Opcode Fuzzy Hash: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                                            • Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF
                                                            Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Startup
                                                            • String ID:
                                                            • API String ID: 724789610-0
                                                            • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                            • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                                                            • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                            • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                                                            Function 0042610E Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: send
                                                            • String ID:
                                                            • API String ID: 2809346765-0
                                                            • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                            • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                                                            • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                            • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36

                                                            Non-executed Functions

                                                            Function 00406F06 Relevance: 48.1, APIs: 10, Strings: 17, Instructions: 849filesleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                            • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                            • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                              • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,HM{,004742F8), ref: 0041B489
                                                              • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,HM{,004742F8), ref: 0041B4BB
                                                              • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,HM{,004742F8), ref: 0041B50C
                                                              • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,HM{,004742F8), ref: 0041B561
                                                              • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,HM{,004742F8), ref: 0041B568
                                                              • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                              • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                              • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                              • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                              • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                              • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000328,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                              • Part of subcall function 00404468: SetEvent.KERNEL32(00000328,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                            • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                            • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                            • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                              • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                              • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                              • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                            • Sleep.KERNEL32(000007D0), ref: 00407976
                                                            • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                              • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                            • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$TTF$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                            • API String ID: 2918587301-184849705
                                                            • Opcode ID: cee1eaa003f0d99ec37409f83af903312ac75341018c76db6d10723a028a15f1
                                                            • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                                                            • Opcode Fuzzy Hash: cee1eaa003f0d99ec37409f83af903312ac75341018c76db6d10723a028a15f1
                                                            • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                                                            Function 00405042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __Init_thread_footer.LIBCMT ref: 0040508E
                                                              • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                              • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                              • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                            • __Init_thread_footer.LIBCMT ref: 004050CB
                                                            • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                                                            • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                                                            • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                                              • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                              • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                            • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                            • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                            • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                              • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                            • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                            • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                            • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                            • CloseHandle.KERNEL32 ref: 004053CD
                                                            • CloseHandle.KERNEL32 ref: 004053D5
                                                            • CloseHandle.KERNEL32 ref: 004053E7
                                                            • CloseHandle.KERNEL32 ref: 004053EF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                            • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                                                            • API String ID: 3815868655-81343324
                                                            • Opcode ID: 3962288f67b6343dc351fcf9cfefafb790a27fc5d456e23b5c61f5133e29afc6
                                                            • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                                                            • Opcode Fuzzy Hash: 3962288f67b6343dc351fcf9cfefafb790a27fc5d456e23b5c61f5133e29afc6
                                                            • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                                                            Function 00410F36 Relevance: 35.2, APIs: 7, Strings: 13, Instructions: 238threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                              • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                              • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                              • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                            • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                            • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                              • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                              • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                              • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                            • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                            • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                            • String ID: 0DG$HM{$Remcos restarted by watchdog!$TTF$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                                            • API String ID: 65172268-3998873403
                                                            • Opcode ID: 51674d9ef77ab3affcb4b811ad4559765d13db7ea621b316b6720b079fd226d4
                                                            • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                                                            • Opcode Fuzzy Hash: 51674d9ef77ab3affcb4b811ad4559765d13db7ea621b316b6720b079fd226d4
                                                            • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                                                            Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                            • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                            • FindClose.KERNEL32(00000000), ref: 0040B517
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$CloseFile$FirstNext
                                                            • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                            • API String ID: 1164774033-3681987949
                                                            • Opcode ID: 8a573f4cde42bb8974b55a1bb9849f05b01946ec243df485f40a07b19650f4e4
                                                            • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                                                            • Opcode Fuzzy Hash: 8a573f4cde42bb8974b55a1bb9849f05b01946ec243df485f40a07b19650f4e4
                                                            • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                            Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                            • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                            • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                            • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                            • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$Close$File$FirstNext
                                                            • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                            • API String ID: 3527384056-432212279
                                                            • Opcode ID: e3298efea2014f122d9e4da4ca7a52805c3aaa742dc7125d16785d6f153ddc68
                                                            • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                                                            • Opcode Fuzzy Hash: e3298efea2014f122d9e4da4ca7a52805c3aaa742dc7125d16785d6f153ddc68
                                                            • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                                                            Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                            • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                            • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                              • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                              • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                              • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                            • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                            • String ID: C:\Program Files(x86)\Internet Explorer\$HM{$Inj$ieinstal.exe$ielowutil.exe
                                                            • API String ID: 726551946-3687924080
                                                            • Opcode ID: c6b8a8b98bbd4d63e6190979d81124dee66bc740cd9cc34f4ffc17523aed10bc
                                                            • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                                                            • Opcode Fuzzy Hash: c6b8a8b98bbd4d63e6190979d81124dee66bc740cd9cc34f4ffc17523aed10bc
                                                            • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                                                            Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenClipboard.USER32 ref: 004159C7
                                                            • EmptyClipboard.USER32 ref: 004159D5
                                                            • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                            • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                            • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                            • CloseClipboard.USER32 ref: 00415A5A
                                                            • OpenClipboard.USER32 ref: 00415A61
                                                            • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                            • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                            • CloseClipboard.USER32 ref: 00415A89
                                                              • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                            • String ID:
                                                            • API String ID: 3520204547-0
                                                            • Opcode ID: aec1d1bf9f744aaed2c9463717a263a6e62bb038cffa3167de4c184d82277f83
                                                            • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                                                            • Opcode Fuzzy Hash: aec1d1bf9f744aaed2c9463717a263a6e62bb038cffa3167de4c184d82277f83
                                                            • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                            Function 0041B42F Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 105fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,HM{,004742F8), ref: 0041B489
                                                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,HM{,004742F8), ref: 0041B4BB
                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,HM{,004742F8), ref: 0041B529
                                                            • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,HM{,004742F8), ref: 0041B536
                                                              • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,HM{,004742F8), ref: 0041B50C
                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,HM{,004742F8), ref: 0041B561
                                                            • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,HM{,004742F8), ref: 0041B568
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,HM{,004742F8), ref: 0041B570
                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,HM{,004742F8), ref: 0041B583
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                            • String ID: HM{
                                                            • API String ID: 2341273852-63478934
                                                            • Opcode ID: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                            • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                                                            • Opcode Fuzzy Hash: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                                            • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                                                            Function 00418754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 0$1$2$3$4$5$6$7
                                                            • API String ID: 0-3177665633
                                                            • Opcode ID: f8af07fa47c58c456c71caf90e41cb852091bf7478b48f1c56509a0c55dbd029
                                                            • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                                                            • Opcode Fuzzy Hash: f8af07fa47c58c456c71caf90e41cb852091bf7478b48f1c56509a0c55dbd029
                                                            • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797
                                                            Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                                            • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                            • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                            • GetKeyState.USER32(00000010), ref: 00409B5C
                                                            • GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                                            • ToUnicodeEx.USER32(0047414C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                            • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                            • ToUnicodeEx.USER32(0047414C,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                            • String ID: 8[G
                                                            • API String ID: 1888522110-1691237782
                                                            • Opcode ID: 925a5eb4e75251b1def6021025d6fe2bb9c2de734200d7c4e5adce8016dcfecb
                                                            • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                                                            • Opcode Fuzzy Hash: 925a5eb4e75251b1def6021025d6fe2bb9c2de734200d7c4e5adce8016dcfecb
                                                            • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                                                            Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 00406788
                                                            • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Object_wcslen
                                                            • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                            • API String ID: 240030777-3166923314
                                                            • Opcode ID: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                            • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                                                            • Opcode Fuzzy Hash: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                                            • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                                                            Function 004198C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                                                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                                                            • GetLastError.KERNEL32 ref: 00419935
                                                            • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                            • String ID:
                                                            • API String ID: 3587775597-0
                                                            • Opcode ID: 3890bdb0540eb0e670ed260973a12fdff1d758257f1b422d234bde2ff04c0bf6
                                                            • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                                                            • Opcode Fuzzy Hash: 3890bdb0540eb0e670ed260973a12fdff1d758257f1b422d234bde2ff04c0bf6
                                                            • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                                                            Function 00418C69 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                                                            • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                                              • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$Find$CreateFirstNext
                                                            • String ID: P{$XCG$`HG$`HG$>G
                                                            • API String ID: 341183262-960995392
                                                            • Opcode ID: 3672b0363ed14ebe701ddf7546ad45a39a3ac0bcdf08e5ef5de986ef51b215bd
                                                            • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                                                            • Opcode Fuzzy Hash: 3672b0363ed14ebe701ddf7546ad45a39a3ac0bcdf08e5ef5de986ef51b215bd
                                                            • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                                                            Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                                            • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                                              • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                            • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                            • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressCloseCreateLibraryLoadProcsend
                                                            • String ID: SHDeleteKeyW$Shlwapi.dll
                                                            • API String ID: 2127411465-314212984
                                                            • Opcode ID: 6d16fc55eb7e1bc2564d5e2bd962dd6c4c24ad70318e51b5b1cf054eeb9cb00d
                                                            • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                                                            • Opcode Fuzzy Hash: 6d16fc55eb7e1bc2564d5e2bd962dd6c4c24ad70318e51b5b1cf054eeb9cb00d
                                                            • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                            Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                            • GetLastError.KERNEL32 ref: 0040B261
                                                            Strings
                                                            • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                            • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                            • UserProfile, xrefs: 0040B227
                                                            • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: DeleteErrorFileLast
                                                            • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                            • API String ID: 2018770650-1062637481
                                                            • Opcode ID: 4cd32df34f682fcf287b1bbdb8b1e04e90f5886a02fc20745afa94da3ae3815b
                                                            • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                                                            • Opcode Fuzzy Hash: 4cd32df34f682fcf287b1bbdb8b1e04e90f5886a02fc20745afa94da3ae3815b
                                                            • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                                                            Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                            • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                            • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                            • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                            • GetLastError.KERNEL32 ref: 00416B02
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                            • String ID: SeShutdownPrivilege
                                                            • API String ID: 3534403312-3733053543
                                                            • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                            • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                            • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                            • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                            Function 00452F00 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: __floor_pentium4
                                                            • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                            • API String ID: 4168288129-2761157908
                                                            • Opcode ID: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                                            • Instruction ID: 57cc16b57fb9b80973019f24a4c29afa226e887048a240d5689d112d8919aadd
                                                            • Opcode Fuzzy Hash: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                                            • Instruction Fuzzy Hash: 08C26F72D046288FDB25CE28DD407EAB7B5EB44346F1441EBD84DE7242E778AE898F44
                                                            Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 004089AE
                                                              • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                              • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                            • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                              • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000328,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                              • Part of subcall function 00404468: SetEvent.KERNEL32(00000328,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                              • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                              • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                              • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                              • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                            • String ID:
                                                            • API String ID: 4043647387-0
                                                            • Opcode ID: f69b92a23d02f21f0d56daa60a68a1cd7ec2c2bd959d7a231ee33c7a1f80003d
                                                            • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                                                            • Opcode Fuzzy Hash: f69b92a23d02f21f0d56daa60a68a1cd7ec2c2bd959d7a231ee33c7a1f80003d
                                                            • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                                                            Function 00419BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                                                            • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Service$CloseHandle$Open$ManagerStart
                                                            • String ID:
                                                            • API String ID: 276877138-0
                                                            • Opcode ID: 6d0f589b7f4ed5c193fffaa70fef351a53496163331b96a9b3d3840ad54bf661
                                                            • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                                                            • Opcode Fuzzy Hash: 6d0f589b7f4ed5c193fffaa70fef351a53496163331b96a9b3d3840ad54bf661
                                                            • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                                                            Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                              • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                              • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                              • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                              • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                            • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                            • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                            • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                            • String ID: PowrProf.dll$SetSuspendState
                                                            • API String ID: 1589313981-1420736420
                                                            • Opcode ID: 24b9d5b97b4806bc27070f5e9ed0cfc4c326b2396989710b1809eee22d884dc4
                                                            • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                                                            • Opcode Fuzzy Hash: 24b9d5b97b4806bc27070f5e9ed0cfc4c326b2396989710b1809eee22d884dc4
                                                            • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                                                            Function 004511E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLocaleInfoW.KERNEL32(?,2000000B,?,00000002), ref: 0045127C
                                                            • GetLocaleInfoW.KERNEL32(?,20001004,?,00000002), ref: 004512A5
                                                            • GetACP.KERNEL32 ref: 004512BA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: InfoLocale
                                                            • String ID: ACP$OCP
                                                            • API String ID: 2299586839-711371036
                                                            • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                            • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                                                            • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                            • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                                                            Function 0041A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
                                                            • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                                                            • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                                                            • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Resource$FindLoadLockSizeof
                                                            • String ID: SETTINGS
                                                            • API String ID: 3473537107-594951305
                                                            • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                            • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                                                            • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                            • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                                                            Function 004513B7 Relevance: 7.7, APIs: 5, Instructions: 188COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                            • GetUserDefaultLCID.KERNEL32 ref: 004514C3
                                                            • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                                                            • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                                                            • GetLocaleInfoW.KERNEL32(?,00001001,?,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                                                            • GetLocaleInfoW.KERNEL32(?,00001002,?,00000040), ref: 00451594
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                            • String ID:
                                                            • API String ID: 745075371-0
                                                            • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                            • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                                                            • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                            • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                                                            Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 00407A91
                                                            • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                            • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                            • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Find$File$CloseFirstH_prologNext
                                                            • String ID:
                                                            • API String ID: 1157919129-0
                                                            • Opcode ID: f8d6f61274b0bae339bae7b451de80ad719001fbde1d2d56a94fc198990b07ef
                                                            • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                                                            • Opcode Fuzzy Hash: f8d6f61274b0bae339bae7b451de80ad719001fbde1d2d56a94fc198990b07ef
                                                            • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                                                            Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                            • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                            Strings
                                                            • open, xrefs: 0040622E
                                                            • C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, xrefs: 0040627F, 004063A7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: DownloadExecuteFileShell
                                                            • String ID: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe$open
                                                            • API String ID: 2825088817-2332570929
                                                            • Opcode ID: f0610ef7ed063fd3f7ff7fa235423d12320f7f493cbf0b1c362c018c3e943f78
                                                            • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                                                            • Opcode Fuzzy Hash: f0610ef7ed063fd3f7ff7fa235423d12320f7f493cbf0b1c362c018c3e943f78
                                                            • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                                                            Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                            • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                              • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileFind$FirstNextsend
                                                            • String ID: x@G$x@G
                                                            • API String ID: 4113138495-3390264752
                                                            • Opcode ID: b36d87b323ec5cc269eb522c3cc31d9de89321549abc1b076fcc759a7cbe0d3a
                                                            • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                                                            • Opcode Fuzzy Hash: b36d87b323ec5cc269eb522c3cc31d9de89321549abc1b076fcc759a7cbe0d3a
                                                            • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                            Function 0041BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                              • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                              • Part of subcall function 004126D2: RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                              • Part of subcall function 004126D2: RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseCreateInfoParametersSystemValue
                                                            • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                            • API String ID: 4127273184-3576401099
                                                            • Opcode ID: 3d360fdf2e78990b0619b3c2804760803c56fcbcebbcac8b827f4f8c51bc1c9b
                                                            • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                                                            • Opcode Fuzzy Hash: 3d360fdf2e78990b0619b3c2804760803c56fcbcebbcac8b827f4f8c51bc1c9b
                                                            • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                                                            Function 0041BB71 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 44COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                                              • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                              • Part of subcall function 004126D2: RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                              • Part of subcall function 004126D2: RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseCreateInfoParametersSystemValue
                                                            • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                            • API String ID: 4127273184-3576401099
                                                            • Opcode ID: 290b14df9c26221b316741e12bbe5b33507c6e8b124f1908694170e280481710
                                                            • Instruction ID: f2617a255fd7246e173cf48333a5ec3092ca3a632a8680fa2b2f8bd5747a896b
                                                            • Opcode Fuzzy Hash: 290b14df9c26221b316741e12bbe5b33507c6e8b124f1908694170e280481710
                                                            • Instruction Fuzzy Hash: 9EF0623278011422D529357A8E2FBEE1801D796B20F65402FF202A57D6FB8E46D142DE
                                                            Function 00450A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                            • IsValidCodePage.KERNEL32(00000000), ref: 00450B61
                                                            • _wcschr.LIBVCRUNTIME ref: 00450BF1
                                                            • _wcschr.LIBVCRUNTIME ref: 00450BFF
                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,?,00000000,?), ref: 00450CA2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                            • String ID:
                                                            • API String ID: 4212172061-0
                                                            • Opcode ID: 30824fb3cb19d2287357d207385eed7a408457ce34d3ac4732c67f259351ba65
                                                            • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                                                            • Opcode Fuzzy Hash: 30824fb3cb19d2287357d207385eed7a408457ce34d3ac4732c67f259351ba65
                                                            • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                                                            Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 00408DAC
                                                            • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                            • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileFind$FirstH_prologNext
                                                            • String ID:
                                                            • API String ID: 301083792-0
                                                            • Opcode ID: 0e4e9ac495abe8b57423f5ed93f9f96552df352c1a46bf6d3c996a5919a60c28
                                                            • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                                                            • Opcode Fuzzy Hash: 0e4e9ac495abe8b57423f5ed93f9f96552df352c1a46bf6d3c996a5919a60c28
                                                            • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                                                            Function 00448057 Relevance: 6.1, APIs: 4, Instructions: 90timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00448067
                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                            • GetTimeZoneInformation.KERNEL32 ref: 00448079
                                                            • WideCharToMultiByte.KERNEL32(00000000,?,0047179C,000000FF,?,0000003F,?,?), ref: 004480F1
                                                            • WideCharToMultiByte.KERNEL32(00000000,?,004717F0,000000FF,?,0000003F,?,?,?,0047179C,000000FF,?,0000003F,?,?), ref: 0044811E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$ErrorFreeHeapInformationLastTimeZone_free
                                                            • String ID:
                                                            • API String ID: 806657224-0
                                                            • Opcode ID: 5e34e117c6e33b8c0844c195e2b7af46f687c91a19e7202acb7e93967a2f0af9
                                                            • Instruction ID: ab6739d36243922ba69d1bbe12a1b6ae93f84769bc63f42ae41568d8b76a7737
                                                            • Opcode Fuzzy Hash: 5e34e117c6e33b8c0844c195e2b7af46f687c91a19e7202acb7e93967a2f0af9
                                                            • Instruction Fuzzy Hash: 8731DA70904205DFEB149F68CC8186EBBF8FF05760B2442AFE054AB2A1DB349A42DB18
                                                            Function 00450E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorInfoLastLocale$_free$_abort
                                                            • String ID:
                                                            • API String ID: 2829624132-0
                                                            • Opcode ID: 0004d795c3ddcb7d717e2e5c50f1122ee861edcca01c339632c8702d630a2b0e
                                                            • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                                                            • Opcode Fuzzy Hash: 0004d795c3ddcb7d717e2e5c50f1122ee861edcca01c339632c8702d630a2b0e
                                                            • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                                                            Function 0043A65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 0043A755
                                                            • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 0043A75F
                                                            • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 0043A76C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                            • String ID:
                                                            • API String ID: 3906539128-0
                                                            • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                            • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                                                            • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                            • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                                                            Function 00442554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 00442575
                                                            • TerminateProcess.KERNEL32(00000000,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 0044257C
                                                            • ExitProcess.KERNEL32 ref: 0044258E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process$CurrentExitTerminate
                                                            • String ID:
                                                            • API String ID: 1703294689-0
                                                            • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                            • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                                                            • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                            • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                                                            Function 0041ACC1 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150C3,00000000), ref: 0041ACCC
                                                            • NtSuspendProcess.NTDLL(00000000), ref: 0041ACD9
                                                            • CloseHandle.KERNEL32(00000000,?,?,004150C3,00000000), ref: 0041ACE2
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process$CloseHandleOpenSuspend
                                                            • String ID:
                                                            • API String ID: 1999457699-0
                                                            • Opcode ID: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                            • Instruction ID: f0940f0a464cb9da12e036c8bcda16370f3965740af83b573a45ae51f9acba0f
                                                            • Opcode Fuzzy Hash: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                            • Instruction Fuzzy Hash: E7D0A733605131638221176A7C0CC87EE6CDFC1EB37024136F404C3220DA30C84186F4
                                                            Function 0041ACED Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150E8,00000000), ref: 0041ACF8
                                                            • NtResumeProcess.NTDLL(00000000), ref: 0041AD05
                                                            • CloseHandle.KERNEL32(00000000,?,?,004150E8,00000000), ref: 0041AD0E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process$CloseHandleOpenResume
                                                            • String ID:
                                                            • API String ID: 3614150671-0
                                                            • Opcode ID: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                            • Instruction ID: b64f47c6af987b25b68fadd97e6a7e629856a7b738c344dffca8a71896aa998e
                                                            • Opcode Fuzzy Hash: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                            • Instruction Fuzzy Hash: DFD0A733504132638220176A7C0CC87EDADDFC5EB37024236F404C3621DA34C841C6F4
                                                            Function 00447597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: InfoLocale
                                                            • String ID: GetLocaleInfoEx
                                                            • API String ID: 2299586839-2904428671
                                                            • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                            • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                                                            • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                            • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                                                            Function 00440E20 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                            • Instruction ID: cffdc6bb8eb20f5336ace8b102e865ec7dcfb2cf624fb46ac032ba80a60d6a90
                                                            • Opcode Fuzzy Hash: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                            • Instruction Fuzzy Hash: 8A024C71E002199BEF14CFA9C9806AEBBF1FF88314F25826AD919E7350D735AD45CB84
                                                            Function 004520D2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004520CD,?,?,00000008,?,?,00455412,00000000), ref: 004522FF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExceptionRaise
                                                            • String ID:
                                                            • API String ID: 3997070919-0
                                                            • Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                            • Instruction ID: 47108b7899804ebb5d40a9255b8f0d240b678f8396b787326aeb691ef157153f
                                                            • Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                            • Instruction Fuzzy Hash: C0B18F351106089FD715CF28C586B567BE0FF06325F29869AEC99CF3A2C379E986CB44
                                                            Function 00432A49 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 0
                                                            • API String ID: 0-4108050209
                                                            • Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                            • Instruction ID: f72c02501a8b687524d4eed2bba9748ce27a8789a4669d3223b659a6f876a8a8
                                                            • Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                            • Instruction Fuzzy Hash: 8002B3727083004BD714DF39D95272EF3E2AFCC758F15492EF499AB391DA78A8058A4A
                                                            Function 004510BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                            • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$_free$InfoLocale_abort
                                                            • String ID:
                                                            • API String ID: 1663032902-0
                                                            • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                            • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                                                            • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                            • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                                                            Function 00450D42 Relevance: 1.6, APIs: 1, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                            • EnumSystemLocalesW.KERNEL32(00450E6A,00000001), ref: 00450DB4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                            • String ID:
                                                            • API String ID: 1084509184-0
                                                            • Opcode ID: 9d28c5e255c7ff7bf8c29f4c99fb410e4ec57aee4c7c61eda1ee1a9008b30fc6
                                                            • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                                                            • Opcode Fuzzy Hash: 9d28c5e255c7ff7bf8c29f4c99fb410e4ec57aee4c7c61eda1ee1a9008b30fc6
                                                            • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                                                            Function 004512EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                            • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$InfoLocale_abort_free
                                                            • String ID:
                                                            • API String ID: 2692324296-0
                                                            • Opcode ID: de3708e636430d7d6226d88625fb8e837b1d84cd9ebb77ae463e34ca348812de
                                                            • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                                                            • Opcode Fuzzy Hash: de3708e636430d7d6226d88625fb8e837b1d84cd9ebb77ae463e34ca348812de
                                                            • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                                                            Function 00450DDD Relevance: 1.5, APIs: 1, Instructions: 42COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                            • EnumSystemLocalesW.KERNEL32(004510BA,00000001), ref: 00450E29
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                            • String ID:
                                                            • API String ID: 1084509184-0
                                                            • Opcode ID: 39b6845edf5822fb0cb5ec1b15846e624abd352d664abc6135ad0e1aa048f885
                                                            • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                                                            • Opcode Fuzzy Hash: 39b6845edf5822fb0cb5ec1b15846e624abd352d664abc6135ad0e1aa048f885
                                                            • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                                                            Function 004470AE Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(-00471558,?,0044225B,00000000,0046DAC0,0000000C,00442216,0000000A,?,?,00448739,0000000A,?,00446F74,00000001,00000364), ref: 00444ADB
                                                            • EnumSystemLocalesW.KERNEL32(Function_00047068,00000001,0046DC48,0000000C), ref: 004470E6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalEnterEnumLocalesSectionSystem
                                                            • String ID:
                                                            • API String ID: 1272433827-0
                                                            • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                            • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                                                            • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                                            • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                                                            Function 00450CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                            • EnumSystemLocalesW.KERNEL32(00450C4E,00000001), ref: 00450D2E
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                            • String ID:
                                                            • API String ID: 1084509184-0
                                                            • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                            • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                                                            • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                                            • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                                                            Function 00433CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExceptionFilterUnhandled
                                                            • String ID:
                                                            • API String ID: 3192549508-0
                                                            • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                            • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                                                            • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                                            • Instruction Fuzzy Hash:
                                                            Function 0043CC0C Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 0
                                                            • API String ID: 0-4108050209
                                                            • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                            • Instruction ID: e47b97b21f836cd03f295ee90de6feb37cae4df0254a032430ab3cefd666e269
                                                            • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                            • Instruction Fuzzy Hash: C851AC3160070457DF388A6985DA7BF6B959B0E700F18352FE48AFB382C60DED02979E
                                                            Function 00426E73 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: @
                                                            • API String ID: 0-2766056989
                                                            • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                            • Instruction ID: 4dd25ef8aece06dcbd44762d080e1d81d96ea4c89eb3931c7e752ffea448aa68
                                                            • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                            • Instruction Fuzzy Hash: 99417576A083158FC314CE29D18021BFBE1FBC8300F568A2EF99693350D679E980CB86
                                                            Function 00437150 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: >G
                                                            • API String ID: 0-1296849874
                                                            • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                            • Instruction ID: d77b428d8deff70f46db9a150fef47e19855adfe796a652afc1ecdf390514463
                                                            • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                            • Instruction Fuzzy Hash: D1110BF724C18143EE74862DD8B46B7A795EACE320F2C636BD0C14B758D52A99459908
                                                            Function 0044E92E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: HeapProcess
                                                            • String ID:
                                                            • API String ID: 54951025-0
                                                            • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                            • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                                            • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                            • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                                            Function 0044C739 Relevance: .6, Instructions: 637COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                            • Instruction ID: 1fbb2d6a6e610910e1865e113166bba559d0ad1400e2c5ed2b94208389d41108
                                                            • Opcode Fuzzy Hash: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                            • Instruction Fuzzy Hash: 4E323621D2AF014DE7639634C862336A649AFB73C5F19D737F81AB5AA6EB2CC4C34105
                                                            Function 0041E5DF Relevance: .6, Instructions: 606COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                                            • Instruction ID: 2a34495ee4f42e5442afe8381c33b9994a027dd0bc8bc0cc3fe6fc4803c66e78
                                                            • Opcode Fuzzy Hash: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                                            • Instruction Fuzzy Hash: 9732C1796087469BD714DF2AC4807ABB7E1BF84304F444A2EFC958B381D778DD858B8A
                                                            Function 004267CB Relevance: .4, Instructions: 437COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                            • Instruction ID: 022d1978040d43b7ea9bbfc0a41ffb8b00617051ae00cac38c3f572af68edcce
                                                            • Opcode Fuzzy Hash: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                                            • Instruction Fuzzy Hash: 0D028F717046518FD318CF2EE880536B7E1AF8E301B46863EE585C7395EB74E922CB95
                                                            Function 00426254 Relevance: .4, Instructions: 377COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                                            • Instruction ID: dd4ce2a6fae4266494c2f053a510589cf36d02151b1693af83bcfdcd1697f2cb
                                                            • Opcode Fuzzy Hash: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                                            • Instruction Fuzzy Hash: 55F13B716142548FC314DF1DE89187BB3E0EB8A301B460A2EF5C2D7392DB78E91ADB56
                                                            Function 00431377 Relevance: .4, Instructions: 371COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                                            • Instruction ID: a134442df30985c3d9ded0ed06b90328dea8838589cb671b1bd0994677c35241
                                                            • Opcode Fuzzy Hash: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                                            • Instruction Fuzzy Hash: 60D1A171A083158BC721DE29C88096FB7E4FFD8354F446A2EF88597361EB38DD058B86
                                                            Function 0041D071 Relevance: .3, Instructions: 276COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                            • Instruction ID: 86422b113df266cbb8d28aa4d41e6099a1760efb4c6ea83322c03ecd969c618c
                                                            • Opcode Fuzzy Hash: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                            • Instruction Fuzzy Hash: 46B1817951429A8ACB05EF28C4913F63BA1EF6A300F4851B9EC9CCF757D3399506EB24
                                                            Function 00436A8D Relevance: .3, Instructions: 254COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                            • Instruction ID: c2ccfb52f11e3b3b259396a7657262a28929e77abe156aeb413db61674ad6f9a
                                                            • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                            • Instruction Fuzzy Hash: EB91C8722080A319DB2D463E847403FFFE19A563A1B1BA79FD4F2CB2C5EE18D564D624
                                                            Function 00436D48 Relevance: .2, Instructions: 244COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                            • Instruction ID: 4bc7a19b78b3923bd294324807b23a5e70e392b11aa895e474023c0768c286cc
                                                            • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                            • Instruction Fuzzy Hash: 1C91B6762080A35ADB2D463AC43403FFFE15A563A1B1B979FD4F2CB2C5EE18C568D624
                                                            Function 004367C6 Relevance: .2, Instructions: 240COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                            • Instruction ID: 8cd81e8b6c8cb135a2d00aee0b4681899237c427d703fcd1ed6b13232f465ad6
                                                            • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                            • Instruction Fuzzy Hash: 439195722090A35ADB2D463D843403FFFE15E5A3A1B1B979FD4F2CB2C5EE28C5649624
                                                            Function 0043D098 Relevance: .2, Instructions: 237COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                            • Instruction ID: 3f92c48b0efc6548e9d2ace3e3fdbc0fca8b075b553eb95927f683fa27391a83
                                                            • Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                            • Instruction Fuzzy Hash: A4613471E0070867DE385928B896BBF23A8AB0D708F24755BE942DB381D65DDD43C24E
                                                            Function 0043CE3B Relevance: .2, Instructions: 237COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                            • Instruction ID: a817909710d0090f483bb13cdd1d1ee80d6dfae79024daed79820ace932836b2
                                                            • Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                            • Instruction Fuzzy Hash: E361777160070966DA385A2858D6BBF6396EB0DB04F10391BE943FF3C1D61DAD43874E
                                                            Function 0043651C Relevance: .2, Instructions: 232COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                            • Instruction ID: b40c52ae0115b4061fe2d1036eda9829452ee7622c5651f608d151b30f65a328
                                                            • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                            • Instruction Fuzzy Hash: B081C4722090A319DB2D463E843403FFFE15A563A5B1BA7AFD4F2CB2C5EE18C5649624
                                                            Function 0043C9DD Relevance: .2, Instructions: 214COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                            • Instruction ID: 61f6cd4e2a94a36a6652522188f48ed2bcd63c305fdb574287b7df62abf21a4e
                                                            • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                            • Instruction Fuzzy Hash: BB51677170460D9BDB34E96894E77BFA3899B0E344F18350BD882B7382D60CED02939E
                                                            Function 00426FAD Relevance: .2, Instructions: 186COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                            • Instruction ID: 42e819d74c2f676ea4fb49a2469d6a41ac5eaf2d1859dcf64078451750f97267
                                                            • Opcode Fuzzy Hash: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                                            • Instruction Fuzzy Hash: 49614E32A083119FC308DF35E581A5BB7E5FFDC718F550E1EF48996151E674EA088B8A
                                                            Function 00417F9F Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
                                                            • CreateCompatibleDC.GDI32(00000000), ref: 00417FC4
                                                              • Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482
                                                            • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
                                                            • DeleteDC.GDI32(?), ref: 0041805D
                                                            • DeleteDC.GDI32(00000000), ref: 00418060
                                                            • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                                                            • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                                                            • GetCursorInfo.USER32(?), ref: 004180B5
                                                            • GetIconInfo.USER32(?,?), ref: 004180CB
                                                            • DeleteObject.GDI32(?), ref: 004180FA
                                                            • DeleteObject.GDI32(?), ref: 00418107
                                                            • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                                                            • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                                                            • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                                                            • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                                                            • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                                                            • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                                                            • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                                                            • DeleteDC.GDI32(?), ref: 0041827F
                                                            • DeleteDC.GDI32(00000000), ref: 00418282
                                                            • DeleteObject.GDI32(00000000), ref: 00418285
                                                            • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                                                            • DeleteObject.GDI32(00000000), ref: 00418344
                                                            • GlobalFree.KERNEL32(?), ref: 0041834B
                                                            • DeleteDC.GDI32(?), ref: 0041835B
                                                            • DeleteDC.GDI32(00000000), ref: 00418366
                                                            • DeleteDC.GDI32(?), ref: 00418398
                                                            • DeleteDC.GDI32(00000000), ref: 0041839B
                                                            • DeleteObject.GDI32(?), ref: 004183A1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
                                                            • String ID: DISPLAY
                                                            • API String ID: 1352755160-865373369
                                                            • Opcode ID: 1713e221986eac5e09055e201b2983f957a8c2628f8d93144efb6ff1e3dc8593
                                                            • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                                                            • Opcode Fuzzy Hash: 1713e221986eac5e09055e201b2983f957a8c2628f8d93144efb6ff1e3dc8593
                                                            • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A
                                                            Function 00417245 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                            • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                            • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                            • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                            • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                            • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                            • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                            • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                            • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                            • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                            • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                            • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                            • ResumeThread.KERNEL32(?), ref: 00417582
                                                            • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                            • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                            • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                            • GetLastError.KERNEL32 ref: 004175C7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                            • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                            • API String ID: 4188446516-3035715614
                                                            • Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                            • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                                                            • Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                                            • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A
                                                            Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                            • ExitProcess.KERNEL32 ref: 0041151D
                                                              • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                              • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                              • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                              • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                            • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                            • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                            • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                              • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                              • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                              • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                            • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                            • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                            • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                            • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                              • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5EB
                                                              • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B5FF
                                                              • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B60C
                                                            • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                            • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                            • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                            • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                            • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                              • Part of subcall function 0041B58F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                            • String ID: .exe$0DG$P{$T@$WDH$exepath$open$temp_
                                                            • API String ID: 4250697656-3203480861
                                                            • Opcode ID: a9c2a87f9ee9c69a41b24408484deaf51afa781d98e0db61e01abaa28f191d2a
                                                            • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                                                            • Opcode Fuzzy Hash: a9c2a87f9ee9c69a41b24408484deaf51afa781d98e0db61e01abaa28f191d2a
                                                            • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                            Function 0040BF04 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                              • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                            • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                            • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                            • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                              • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,HM{,004742F8,?,pth_unenc), ref: 0040AFC9
                                                              • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                              • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                              • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                            • ExitProcess.KERNEL32 ref: 0040C287
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                            • String ID: ")$.vbs$HM{$On Error Resume Next$P{$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                            • API String ID: 3797177996-2745836941
                                                            • Opcode ID: 8eaf99752597ea1a4d10927b3751fb5e27277ddc3ade82d131f2180467ece9db
                                                            • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                                                            • Opcode Fuzzy Hash: 8eaf99752597ea1a4d10927b3751fb5e27277ddc3ade82d131f2180467ece9db
                                                            • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E
                                                            Function 0041A1BB Relevance: 42.2, APIs: 12, Strings: 12, Instructions: 180synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                                                            • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                                                            • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                                                            • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
                                                            • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                                                            • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                                                            • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                                                            • SetEvent.KERNEL32 ref: 0041A38A
                                                            • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                                                            • CloseHandle.KERNEL32 ref: 0041A3AB
                                                            • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                                                            • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                            • String ID: alias audio$" type $TUF$close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                            • API String ID: 738084811-2745919808
                                                            • Opcode ID: bedb79d6b777c24a058fb07aaadb0652bc7d041f343cfefae731751c07e31b37
                                                            • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                                                            • Opcode Fuzzy Hash: bedb79d6b777c24a058fb07aaadb0652bc7d041f343cfefae731751c07e31b37
                                                            • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                                                            Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                            • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                            • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                            • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                            • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                            • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                            • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                            • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                            • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                            • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                            • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                            • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$Write$Create
                                                            • String ID: RIFF$WAVE$data$fmt
                                                            • API String ID: 1602526932-4212202414
                                                            • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                            • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                            • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                            • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                            Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe,00000001,004068B2,C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe,00000003,004068DA,HM{,00406933), ref: 004064F4
                                                            • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                            • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                            • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                            • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressHandleModuleProc
                                                            • String ID: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                            • API String ID: 1646373207-2040090484
                                                            • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                            • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                            • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                            • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                            Function 0040BC67 Relevance: 30.0, APIs: 12, Strings: 5, Instructions: 203fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _wcslen.LIBCMT ref: 0040BC75
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                            • CopyFileW.KERNEL32(C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                            • _wcslen.LIBCMT ref: 0040BD54
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                            • CopyFileW.KERNEL32(C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe,00000000,00000000), ref: 0040BDF2
                                                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                            • _wcslen.LIBCMT ref: 0040BE34
                                                            • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                            • ExitProcess.KERNEL32 ref: 0040BED0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                            • String ID: 6$C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe$HM{$del$open
                                                            • API String ID: 1579085052-2043951224
                                                            • Opcode ID: 3074b94dd0db5ede3fe92545a612de18a9a35f6e419f75cb91ba7ed246302fb8
                                                            • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                                                            • Opcode Fuzzy Hash: 3074b94dd0db5ede3fe92545a612de18a9a35f6e419f75cb91ba7ed246302fb8
                                                            • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                                                            Function 0041B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • lstrlenW.KERNEL32(?), ref: 0041B1D6
                                                            • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                                                            • lstrlenW.KERNEL32(?), ref: 0041B207
                                                            • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                                                            • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                                                            • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                                                            • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                                                            • _wcslen.LIBCMT ref: 0041B2DB
                                                            • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                                                            • GetLastError.KERNEL32 ref: 0041B313
                                                            • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                                                            • lstrcatW.KERNEL32(?,?), ref: 0041B359
                                                            • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                                                            • GetLastError.KERNEL32 ref: 0041B370
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                            • String ID: ?
                                                            • API String ID: 3941738427-1684325040
                                                            • Opcode ID: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                                            • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                                                            • Opcode Fuzzy Hash: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                                            • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                                                            Function 0044E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free$EnvironmentVariable$_wcschr
                                                            • String ID:
                                                            • API String ID: 3899193279-0
                                                            • Opcode ID: 4dff80f9f2e6418a47ef4f1e3ec22160d27dda194db1b92759e52112f0dcc884
                                                            • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                                                            • Opcode Fuzzy Hash: 4dff80f9f2e6418a47ef4f1e3ec22160d27dda194db1b92759e52112f0dcc884
                                                            • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                                                            Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                              • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                              • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                              • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                            • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                            • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                            • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                            • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                            • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                            • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                            • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                            • Sleep.KERNEL32(00000064), ref: 00412060
                                                              • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                            • String ID: /stext "$HDG$HDG$>G$>G
                                                            • API String ID: 1223786279-3931108886
                                                            • Opcode ID: 244db93aa1da19b7a039dbc034faf8c6a001f6843826ea2c079329fcbee235f9
                                                            • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                                                            • Opcode Fuzzy Hash: 244db93aa1da19b7a039dbc034faf8c6a001f6843826ea2c079329fcbee235f9
                                                            • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A
                                                            Function 0041CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAE9
                                                            • GetCursorPos.USER32(?), ref: 0041CAF8
                                                            • SetForegroundWindow.USER32(?), ref: 0041CB01
                                                            • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                                                            • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB6C
                                                            • ExitProcess.KERNEL32 ref: 0041CB74
                                                            • CreatePopupMenu.USER32 ref: 0041CB7A
                                                            • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                            • String ID: Close
                                                            • API String ID: 1657328048-3535843008
                                                            • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                            • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                                                            • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                            • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                                                            Function 00444F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free$Info
                                                            • String ID:
                                                            • API String ID: 2509303402-0
                                                            • Opcode ID: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                                            • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                                                            • Opcode Fuzzy Hash: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                                            • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                                                            Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                            • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                            • __aulldiv.LIBCMT ref: 00407FE9
                                                            • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                            • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                            • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                            • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                            • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                            • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                            • API String ID: 1884690901-3066803209
                                                            • Opcode ID: 501f13347773ca8328b3059530cc4ad15e8023a44e4b73c6fbf9ab171f8d0e31
                                                            • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                                                            • Opcode Fuzzy Hash: 501f13347773ca8328b3059530cc4ad15e8023a44e4b73c6fbf9ab171f8d0e31
                                                            • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                                                            Function 00413E37 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                            • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                            • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                            • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                            • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                            • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                            • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                            • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                            • String ID: \ws2_32$\wship6$getaddrinfo
                                                            • API String ID: 2490988753-3078833738
                                                            • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                            • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                                                            • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                                            • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                                                            Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • ___free_lconv_mon.LIBCMT ref: 004500B1
                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                                              • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                                                            • _free.LIBCMT ref: 004500A6
                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                            • _free.LIBCMT ref: 004500C8
                                                            • _free.LIBCMT ref: 004500DD
                                                            • _free.LIBCMT ref: 004500E8
                                                            • _free.LIBCMT ref: 0045010A
                                                            • _free.LIBCMT ref: 0045011D
                                                            • _free.LIBCMT ref: 0045012B
                                                            • _free.LIBCMT ref: 00450136
                                                            • _free.LIBCMT ref: 0045016E
                                                            • _free.LIBCMT ref: 00450175
                                                            • _free.LIBCMT ref: 00450192
                                                            • _free.LIBCMT ref: 004501AA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                            • String ID:
                                                            • API String ID: 161543041-0
                                                            • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                            • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                                                            • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                            • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                                                            Function 00419128 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __EH_prolog.LIBCMT ref: 0041912D
                                                            • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                                                            • Sleep.KERNEL32(000003E8), ref: 0041926D
                                                            • GetLocalTime.KERNEL32(?), ref: 0041927C
                                                            • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                            • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                            • API String ID: 489098229-65789007
                                                            • Opcode ID: d035b23978f635d26d413941e86b53147c054b16f8fc180901addfee223a089d
                                                            • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                                                            • Opcode Fuzzy Hash: d035b23978f635d26d413941e86b53147c054b16f8fc180901addfee223a089d
                                                            • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                                                            Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                              • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                              • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                              • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                              • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                            • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                            • ExitProcess.KERNEL32 ref: 0040C832
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                            • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$P{$Temp$exepath$open
                                                            • API String ID: 1913171305-2536392109
                                                            • Opcode ID: 508d0871e15571b78838a5b212a0624c53e744e3e86450f5b9076bd3877095ab
                                                            • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                                                            • Opcode Fuzzy Hash: 508d0871e15571b78838a5b212a0624c53e744e3e86450f5b9076bd3877095ab
                                                            • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                            Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free
                                                            • String ID:
                                                            • API String ID: 269201875-0
                                                            • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                            • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                                                            • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                            • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                                                            Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                            • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                            • closesocket.WS2_32(000000FF), ref: 0040481F
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                                                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                                                            • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                                                            • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                                                            • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                                                            • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                                                            • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                            • String ID:
                                                            • API String ID: 3658366068-0
                                                            • Opcode ID: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
                                                            • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                                                            • Opcode Fuzzy Hash: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
                                                            • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48
                                                            Function 00454982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D
                                                            • GetLastError.KERNEL32 ref: 00454A96
                                                            • __dosmaperr.LIBCMT ref: 00454A9D
                                                            • GetFileType.KERNEL32(00000000), ref: 00454AA9
                                                            • GetLastError.KERNEL32 ref: 00454AB3
                                                            • __dosmaperr.LIBCMT ref: 00454ABC
                                                            • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                                                            • CloseHandle.KERNEL32(?), ref: 00454C26
                                                            • GetLastError.KERNEL32 ref: 00454C58
                                                            • __dosmaperr.LIBCMT ref: 00454C5F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                            • String ID: H
                                                            • API String ID: 4237864984-2852464175
                                                            • Opcode ID: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                                            • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                                                            • Opcode Fuzzy Hash: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                                            • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                                                            Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: 65535$udp
                                                            • API String ID: 0-1267037602
                                                            • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                            • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                                                            • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                                            • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                                                            Function 00416E27 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 107filesynchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                            • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                            • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                            • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                              • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                            • String ID: <$@$@FG$@FG$TUF$Temp
                                                            • API String ID: 1107811701-4124992407
                                                            • Opcode ID: 752ca13c782d44821a1ec6be30a7add5be14379de4efd94ca99b1656ba8a68f0
                                                            • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                                                            • Opcode Fuzzy Hash: 752ca13c782d44821a1ec6be30a7add5be14379de4efd94ca99b1656ba8a68f0
                                                            • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                            Function 00439361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                                                            • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                                                            • __dosmaperr.LIBCMT ref: 004393CD
                                                            • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                                                            • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                                                            • __dosmaperr.LIBCMT ref: 0043940A
                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                                                            • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                                                            • __dosmaperr.LIBCMT ref: 0043945E
                                                            • _free.LIBCMT ref: 0043946A
                                                            • _free.LIBCMT ref: 00439471
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                            • String ID:
                                                            • API String ID: 2441525078-0
                                                            • Opcode ID: 4e21fbd1580d6ff2ce7530065813a89ea1a3ca3d3e91b16b88e7fcb0346c66d6
                                                            • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                                                            • Opcode Fuzzy Hash: 4e21fbd1580d6ff2ce7530065813a89ea1a3ca3d3e91b16b88e7fcb0346c66d6
                                                            • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                                                            Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                            • TranslateMessage.USER32(?), ref: 00404F30
                                                            • DispatchMessageA.USER32(?), ref: 00404F3B
                                                            • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                                            • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                              • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                            • String ID: CloseChat$DisplayMessage$GetMessage
                                                            • API String ID: 2956720200-749203953
                                                            • Opcode ID: c4ad9a90b942ac681967bb30370cc32e2bfaf3350bfdfa964f09f26605a8287a
                                                            • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                                                            • Opcode Fuzzy Hash: c4ad9a90b942ac681967bb30370cc32e2bfaf3350bfdfa964f09f26605a8287a
                                                            • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                                                            Function 00406616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCurrentProcess.KERNEL32(00474A28,00000000,?,00003000,00000004,00000000,00000001), ref: 00406647
                                                            • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe), ref: 00406705
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CurrentProcess
                                                            • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$pUF$windir
                                                            • API String ID: 2050909247-943210432
                                                            • Opcode ID: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                            • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                                                            • Opcode Fuzzy Hash: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                                            • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                                                            Function 00419C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                                                            • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                                                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                            • String ID:
                                                            • API String ID: 221034970-0
                                                            • Opcode ID: 83979f30ba13052199b290374f4e897ff0c223aa30bace9cb26b013bf86a6d8f
                                                            • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                                                            • Opcode Fuzzy Hash: 83979f30ba13052199b290374f4e897ff0c223aa30bace9cb26b013bf86a6d8f
                                                            • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                                                            Function 00446DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00446DDF
                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                            • _free.LIBCMT ref: 00446DEB
                                                            • _free.LIBCMT ref: 00446DF6
                                                            • _free.LIBCMT ref: 00446E01
                                                            • _free.LIBCMT ref: 00446E0C
                                                            • _free.LIBCMT ref: 00446E17
                                                            • _free.LIBCMT ref: 00446E22
                                                            • _free.LIBCMT ref: 00446E2D
                                                            • _free.LIBCMT ref: 00446E38
                                                            • _free.LIBCMT ref: 00446E46
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                            • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                                                            • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                            • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                                                            Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Eventinet_ntoa
                                                            • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                            • API String ID: 3578746661-4192532303
                                                            • Opcode ID: c490fc925416a975ca1fba66d43efb3b49cc59d35ab214930b24f748f99792d1
                                                            • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                                                            • Opcode Fuzzy Hash: c490fc925416a975ca1fba66d43efb3b49cc59d35ab214930b24f748f99792d1
                                                            • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                                                            Function 00401768 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 142threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ExitThread.KERNEL32 ref: 004017F4
                                                              • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                              • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                            • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                              • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                            • __Init_thread_footer.LIBCMT ref: 004017BC
                                                              • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                              • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                            • String ID: T=G$p[G$x{$>G$>G
                                                            • API String ID: 1596592924-1633907026
                                                            • Opcode ID: f7dd7ff43e8fa91a01b380b53589ec67711359c1a88f3d5bbceeae34eeda83d9
                                                            • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                                                            • Opcode Fuzzy Hash: f7dd7ff43e8fa91a01b380b53589ec67711359c1a88f3d5bbceeae34eeda83d9
                                                            • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                                                            Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                              • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                            • Sleep.KERNEL32(00000064), ref: 00416688
                                                            • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$CreateDeleteExecuteShellSleep
                                                            • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                            • API String ID: 1462127192-2001430897
                                                            • Opcode ID: d94b8c85182ea572c803bf7ed9f069f989e38430cde1dbff2418cf4f66068fd6
                                                            • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                                                            • Opcode Fuzzy Hash: d94b8c85182ea572c803bf7ed9f069f989e38430cde1dbff2418cf4f66068fd6
                                                            • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                                                            Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _strftime.LIBCMT ref: 00401AD3
                                                              • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                            • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                            • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                            • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                            • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                            • API String ID: 3809562944-3643129801
                                                            • Opcode ID: b8eed0d151ccb6e5a82338ef45dd5c7a6e48c5c8e1108a83b815f9cf038dc0a3
                                                            • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                                                            • Opcode Fuzzy Hash: b8eed0d151ccb6e5a82338ef45dd5c7a6e48c5c8e1108a83b815f9cf038dc0a3
                                                            • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                                                            Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                            • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                            • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                            • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                            • waveInStart.WINMM ref: 00401A81
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                            • String ID: XCG$`=G$x=G
                                                            • API String ID: 1356121797-903574159
                                                            • Opcode ID: df66b5dce40286873da021395106849cc9c08a1aee5ad096444ea0181d895aab
                                                            • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                                                            • Opcode Fuzzy Hash: df66b5dce40286873da021395106849cc9c08a1aee5ad096444ea0181d895aab
                                                            • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                            Function 0041C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                                              • Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                              • Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                              • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                                                            • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                                                            • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                                                            • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9EF
                                                            • TranslateMessage.USER32(?), ref: 0041C9FB
                                                            • DispatchMessageA.USER32(?), ref: 0041CA05
                                                            • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                            • String ID: Remcos
                                                            • API String ID: 1970332568-165870891
                                                            • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                            • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                                                            • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                            • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                            Function 0044B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: c66e7b394ba3cedc2256576aca990ac76a61b28af5954af531c93a6943a32a1c
                                                            • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                                                            • Opcode Fuzzy Hash: c66e7b394ba3cedc2256576aca990ac76a61b28af5954af531c93a6943a32a1c
                                                            • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                                                            Function 00452B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCPInfo.KERNEL32(?,?), ref: 00452BD6
                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00452C59
                                                            • __alloca_probe_16.LIBCMT ref: 00452C91
                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00452CEC
                                                            • __alloca_probe_16.LIBCMT ref: 00452D3B
                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,?,00000000,00000000), ref: 00452D03
                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 00452D7F
                                                            • __freea.LIBCMT ref: 00452DAA
                                                            • __freea.LIBCMT ref: 00452DB6
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                            • String ID:
                                                            • API String ID: 201697637-0
                                                            • Opcode ID: 9bbe35462230cfd41bb5c244eb617c21ab0dbbd99226abfb5f91c2ba7bf60e7b
                                                            • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                                                            • Opcode Fuzzy Hash: 9bbe35462230cfd41bb5c244eb617c21ab0dbbd99226abfb5f91c2ba7bf60e7b
                                                            • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                                                            Function 004443F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                              • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                                              • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                              • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                                            • _memcmp.LIBVCRUNTIME ref: 004446A3
                                                            • _free.LIBCMT ref: 00444714
                                                            • _free.LIBCMT ref: 0044472D
                                                            • _free.LIBCMT ref: 0044475F
                                                            • _free.LIBCMT ref: 00444768
                                                            • _free.LIBCMT ref: 00444774
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free$ErrorLast$_abort_memcmp
                                                            • String ID: C
                                                            • API String ID: 1679612858-1037565863
                                                            • Opcode ID: 4efd0747ede1f39c5fcc872a59a20707b7ee61f7de0fe931feae0baf1e84419d
                                                            • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                                                            • Opcode Fuzzy Hash: 4efd0747ede1f39c5fcc872a59a20707b7ee61f7de0fe931feae0baf1e84419d
                                                            • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                                                            Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: tcp$udp
                                                            • API String ID: 0-3725065008
                                                            • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                            • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                                                            • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                                            • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                            Function 004559CA Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 152COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free
                                                            • String ID: gKE$HE$HE
                                                            • API String ID: 269201875-2777690135
                                                            • Opcode ID: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
                                                            • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                                                            • Opcode Fuzzy Hash: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
                                                            • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                                                            Function 00412C88 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                              • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                              • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                              • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                            • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseEnumInfoOpenQuerysend
                                                            • String ID: TUF$TUFTUF$>G$DG$DG
                                                            • API String ID: 3114080316-72097156
                                                            • Opcode ID: b79f96b98849828189ce12a55a5e60de86127cd7c836c6bc3b0d8c974564a8ee
                                                            • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                                                            • Opcode Fuzzy Hash: b79f96b98849828189ce12a55a5e60de86127cd7c836c6bc3b0d8c974564a8ee
                                                            • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                            Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                            • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                              • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                            • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                            • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                            • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                            • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                              • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                              • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                            • String ID: .part
                                                            • API String ID: 1303771098-3499674018
                                                            • Opcode ID: 124c633532e8600691c4108089ff1e2e84c33ce980c006a8ee94900b53e6ed61
                                                            • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                                                            • Opcode Fuzzy Hash: 124c633532e8600691c4108089ff1e2e84c33ce980c006a8ee94900b53e6ed61
                                                            • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                                                            Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                              • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                              • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                              • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                              • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                            • _wcslen.LIBCMT ref: 0041A8F6
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                            • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                            • API String ID: 3286818993-703403762
                                                            • Opcode ID: d31394a1e59778cac49212debd323097d31c222899c914d30ad8a284f22ebc6c
                                                            • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                                                            • Opcode Fuzzy Hash: d31394a1e59778cac49212debd323097d31c222899c914d30ad8a284f22ebc6c
                                                            • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                                                            Function 0040B6EA Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 85COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                              • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                              • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                            • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                            • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                            • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders$TUF
                                                            • API String ID: 1133728706-1738023494
                                                            • Opcode ID: 855e2cf6618f683fcf1880faecf3eef8977eac3d94cb5d0ef317c0a3041edc6c
                                                            • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                                                            • Opcode Fuzzy Hash: 855e2cf6618f683fcf1880faecf3eef8977eac3d94cb5d0ef317c0a3041edc6c
                                                            • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                                                            Function 0041BEB0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                                                            • GetConsoleWindow.KERNEL32 ref: 0041BEBF
                                                            • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                                            • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Console$Window$AllocOutputShow
                                                            • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                            • API String ID: 4067487056-2527699604
                                                            • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                            • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                                                            • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                                            • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                                                            Function 00449950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D564,0043D564,?,?,?,00449BA1,00000001,00000001,1AE85006), ref: 004499AA
                                                            • __alloca_probe_16.LIBCMT ref: 004499E2
                                                            • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449BA1,00000001,00000001,1AE85006,?,?,?), ref: 00449A30
                                                            • __alloca_probe_16.LIBCMT ref: 00449AC7
                                                            • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                                                            • __freea.LIBCMT ref: 00449B37
                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                            • __freea.LIBCMT ref: 00449B40
                                                            • __freea.LIBCMT ref: 00449B65
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                            • String ID:
                                                            • API String ID: 3864826663-0
                                                            • Opcode ID: 4f32ff11c9a2c5bbe2f4738f39354e42457cdb7b2d04467834f9366f6cd65cf7
                                                            • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                                                            • Opcode Fuzzy Hash: 4f32ff11c9a2c5bbe2f4738f39354e42457cdb7b2d04467834f9366f6cd65cf7
                                                            • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                                                            Function 00418ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SendInput.USER32 ref: 00418B08
                                                            • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                                                            • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                                                            • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                                              • Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: InputSend$Virtual
                                                            • String ID:
                                                            • API String ID: 1167301434-0
                                                            • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                            • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                                                            • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                            • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                                                            Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenClipboard.USER32 ref: 00415A46
                                                            • EmptyClipboard.USER32 ref: 00415A54
                                                            • CloseClipboard.USER32 ref: 00415A5A
                                                            • OpenClipboard.USER32 ref: 00415A61
                                                            • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                            • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                            • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                            • CloseClipboard.USER32 ref: 00415A89
                                                              • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                            • String ID:
                                                            • API String ID: 2172192267-0
                                                            • Opcode ID: d51e9d9b7c83d4b7240a3047c26a9a5e57fadfb447c4903058641008fff525ed
                                                            • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                                                            • Opcode Fuzzy Hash: d51e9d9b7c83d4b7240a3047c26a9a5e57fadfb447c4903058641008fff525ed
                                                            • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                                                            Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free
                                                            • String ID:
                                                            • API String ID: 269201875-0
                                                            • Opcode ID: 5969c94153c7b7bc47658fb7421fb2dc5c6178a12c9a66a46f54a64434edbe96
                                                            • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                                                            • Opcode Fuzzy Hash: 5969c94153c7b7bc47658fb7421fb2dc5c6178a12c9a66a46f54a64434edbe96
                                                            • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                                                            Function 00443F7B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                            • _free.LIBCMT ref: 00444086
                                                            • _free.LIBCMT ref: 0044409D
                                                            • _free.LIBCMT ref: 004440BC
                                                            • _free.LIBCMT ref: 004440D7
                                                            • _free.LIBCMT ref: 004440EE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free$AllocateHeap
                                                            • String ID: J7D
                                                            • API String ID: 3033488037-1677391033
                                                            • Opcode ID: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
                                                            • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                                                            • Opcode Fuzzy Hash: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
                                                            • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                                                            Function 0044A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A105
                                                            • __fassign.LIBCMT ref: 0044A180
                                                            • __fassign.LIBCMT ref: 0044A19B
                                                            • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1C1
                                                            • WriteFile.KERNEL32(?,00000000,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
                                                            • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                            • String ID:
                                                            • API String ID: 1324828854-0
                                                            • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                            • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                                                            • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                            • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                                                            Function 0040E6A3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                                              • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                                            • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                            • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                            • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                              • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                                              • Part of subcall function 0041B187: IsWow64Process.KERNEL32(00000000,?,?,?,00474358), ref: 0041B1A7
                                                              • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                              • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                            • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                            • String ID: PgF
                                                            • API String ID: 2180151492-654241383
                                                            • Opcode ID: f63e02058b3df390fc99547af966fd5b060998b003f203cb2b12e7754b08fae9
                                                            • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                                                            • Opcode Fuzzy Hash: f63e02058b3df390fc99547af966fd5b060998b003f203cb2b12e7754b08fae9
                                                            • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                                                            Function 00437A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                                                            • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                                                            • _ValidateLocalCookies.LIBCMT ref: 00437B41
                                                            • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                                                            • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                            • String ID: csm
                                                            • API String ID: 1170836740-1018135373
                                                            • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                            • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                                                            • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                            • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                                                            Function 00455903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 02717eb42979939780aa55e78abd64da983f54570bcab5d4a33c232e0763f4b4
                                                            • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                                                            • Opcode Fuzzy Hash: 02717eb42979939780aa55e78abd64da983f54570bcab5d4a33c232e0763f4b4
                                                            • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                                                            Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                            • int.LIBCPMT ref: 0040FC0F
                                                              • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                              • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                            • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                            • String ID: P[G
                                                            • API String ID: 2536120697-571123470
                                                            • Opcode ID: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                                            • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                                                            • Opcode Fuzzy Hash: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                                            • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                                                            Function 0044FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                                                            • _free.LIBCMT ref: 0044FD29
                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                            • _free.LIBCMT ref: 0044FD34
                                                            • _free.LIBCMT ref: 0044FD3F
                                                            • _free.LIBCMT ref: 0044FD93
                                                            • _free.LIBCMT ref: 0044FD9E
                                                            • _free.LIBCMT ref: 0044FDA9
                                                            • _free.LIBCMT ref: 0044FDB4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                            • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                                                            • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                            • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                                                            Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe), ref: 00406835
                                                              • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                              • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                            • CoUninitialize.OLE32 ref: 0040688E
                                                            Strings
                                                            • C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, xrefs: 00406815, 00406818, 0040686A
                                                            • [+] ucmCMLuaUtilShellExecMethod, xrefs: 0040681A
                                                            • [+] before ShellExec, xrefs: 00406856
                                                            • [+] ShellExec success, xrefs: 00406873
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: InitializeObjectUninitialize_wcslen
                                                            • String ID: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                            • API String ID: 3851391207-852590116
                                                            • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                            • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                            • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                                            • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                            Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                            • int.LIBCPMT ref: 0040FEF2
                                                              • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                              • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                            • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                            • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                            • String ID: H]G
                                                            • API String ID: 2536120697-1717957184
                                                            • Opcode ID: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                                            • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                                                            • Opcode Fuzzy Hash: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                                            • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                                                            Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                            • GetLastError.KERNEL32 ref: 0040B2EE
                                                            Strings
                                                            • [Chrome Cookies not found], xrefs: 0040B308
                                                            • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                            • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                            • UserProfile, xrefs: 0040B2B4
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: DeleteErrorFileLast
                                                            • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                            • API String ID: 2018770650-304995407
                                                            • Opcode ID: affce56bb21929d7383bdb2dccb574c79b51b4180e8c74c87d019dc2b0b7a2d9
                                                            • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                                                            • Opcode Fuzzy Hash: affce56bb21929d7383bdb2dccb574c79b51b4180e8c74c87d019dc2b0b7a2d9
                                                            • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                                                            Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                            Download Yara Rule
                                                            Strings
                                                            • C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, xrefs: 00406927
                                                            • HM{, xrefs: 00406909
                                                            • (CG, xrefs: 0040693F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: (CG$C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe$HM{
                                                            • API String ID: 0-4109214080
                                                            • Opcode ID: d50a95e135f0bfdaf236d1bb78b8391e43d4b57b805b0d92c2bf5032378cfc05
                                                            • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                            • Opcode Fuzzy Hash: d50a95e135f0bfdaf236d1bb78b8391e43d4b57b805b0d92c2bf5032378cfc05
                                                            • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                            Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __allrem.LIBCMT ref: 00439789
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                                                            • __allrem.LIBCMT ref: 004397BC
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                                                            • __allrem.LIBCMT ref: 004397F1
                                                            • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                            • String ID:
                                                            • API String ID: 1992179935-0
                                                            • Opcode ID: e717a979b06a6d59714d5f6060216880ad0b40e6851c78038ac3081c6fc0778a
                                                            • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                                                            • Opcode Fuzzy Hash: e717a979b06a6d59714d5f6060216880ad0b40e6851c78038ac3081c6fc0778a
                                                            • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                                                            Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: __cftoe
                                                            • String ID:
                                                            • API String ID: 4189289331-0
                                                            • Opcode ID: 07fcb3c060a749777e725642930ed18157a1f5019e1f3146b4d3bc33616e3b2a
                                                            • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                                                            • Opcode Fuzzy Hash: 07fcb3c060a749777e725642930ed18157a1f5019e1f3146b4d3bc33616e3b2a
                                                            • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                                                            Function 00446159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: __freea$__alloca_probe_16
                                                            • String ID: a/p$am/pm
                                                            • API String ID: 3509577899-3206640213
                                                            • Opcode ID: 3e928ede4659587d97ed5dfbbe89dc282e212a9f54712889c1654def3b5faaeb
                                                            • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                                                            • Opcode Fuzzy Hash: 3e928ede4659587d97ed5dfbbe89dc282e212a9f54712889c1654def3b5faaeb
                                                            • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                                                            Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                              • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: H_prologSleep
                                                            • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                            • API String ID: 3469354165-462540288
                                                            • Opcode ID: 4e554ebf19488a5611e14a2d3cf6973cfd4f528d681247d0f0c4997ef775f554
                                                            • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                                                            • Opcode Fuzzy Hash: 4e554ebf19488a5611e14a2d3cf6973cfd4f528d681247d0f0c4997ef775f554
                                                            • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                                                            Function 00419DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                                                            • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                            • String ID:
                                                            • API String ID: 493672254-0
                                                            • Opcode ID: 8d0c32570e89dd068500cd90fe1776a703b3a192111dc2e8c1051611ff5d3692
                                                            • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                                                            • Opcode Fuzzy Hash: 8d0c32570e89dd068500cd90fe1776a703b3a192111dc2e8c1051611ff5d3692
                                                            • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                                                            Function 00437E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                                                            • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                                                            • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                                                            • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLastValue___vcrt_
                                                            • String ID:
                                                            • API String ID: 3852720340-0
                                                            • Opcode ID: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                            • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                                                            • Opcode Fuzzy Hash: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                            • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                                                            Function 00446EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                                            • _free.LIBCMT ref: 00446EF6
                                                            • _free.LIBCMT ref: 00446F1E
                                                            • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                                            • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                                            • _abort.LIBCMT ref: 00446F3D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$_free$_abort
                                                            • String ID:
                                                            • API String ID: 3160817290-0
                                                            • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                            • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                                                            • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                            • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                                                            Function 00419C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                                                            • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                            • String ID:
                                                            • API String ID: 221034970-0
                                                            • Opcode ID: e0442b8656df40b354effc29a53afdc585f42babe91f9aeac9dec78915b16ffb
                                                            • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                                                            • Opcode Fuzzy Hash: e0442b8656df40b354effc29a53afdc585f42babe91f9aeac9dec78915b16ffb
                                                            • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                                                            Function 00419D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                                                            • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                            • String ID:
                                                            • API String ID: 221034970-0
                                                            • Opcode ID: 197637b26bbdd00f03ff7db36be43807083bab4a770c68d4e23c4aa016e90e1f
                                                            • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                                                            • Opcode Fuzzy Hash: 197637b26bbdd00f03ff7db36be43807083bab4a770c68d4e23c4aa016e90e1f
                                                            • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                                                            Function 00419D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                                                            • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                                                            • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                                                            • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Service$CloseHandle$Open$ControlManager
                                                            • String ID:
                                                            • API String ID: 221034970-0
                                                            • Opcode ID: e355818817006b765bc9d302ee5cf97eebc986756fff16413e45bff3808d062c
                                                            • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                                                            • Opcode Fuzzy Hash: e355818817006b765bc9d302ee5cf97eebc986756fff16413e45bff3808d062c
                                                            • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                                                            Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                            • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                            • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Enum$InfoQueryValue
                                                            • String ID: [regsplt]$DG
                                                            • API String ID: 3554306468-1089238109
                                                            • Opcode ID: bdfd4bea99a2a56e0bf69a035c0c9d08caa5f3d1df37628ba4533c7e0d6d2cae
                                                            • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                                                            • Opcode Fuzzy Hash: bdfd4bea99a2a56e0bf69a035c0c9d08caa5f3d1df37628ba4533c7e0d6d2cae
                                                            • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                            Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                                              • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                                              • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                                            • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                              • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                                              • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                            • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                                                            • API String ID: 2974294136-753205382
                                                            • Opcode ID: 84d5120d1790242da64ed9a6eb1f5c34e2201cb21d83ae33a80d74a94cbf0ed8
                                                            • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                                                            • Opcode Fuzzy Hash: 84d5120d1790242da64ed9a6eb1f5c34e2201cb21d83ae33a80d74a94cbf0ed8
                                                            • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                                                            Function 0041CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                                            • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                                            • GetLastError.KERNEL32 ref: 0041CA91
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ClassCreateErrorLastRegisterWindow
                                                            • String ID: 0$MsgWindowClass
                                                            • API String ID: 2877667751-2410386613
                                                            • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                            • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                                                            • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                                            • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                                                            Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                            • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                            • CloseHandle.KERNEL32(?), ref: 00406A14
                                                            Strings
                                                            • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                            • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseHandle$CreateProcess
                                                            • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                            • API String ID: 2922976086-4183131282
                                                            • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                            • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                                                            • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                            • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                                                            Function 004425D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002), ref: 004425F9
                                                            • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
                                                            • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 0044262F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: AddressFreeHandleLibraryModuleProc
                                                            • String ID: CorExitProcess$mscoree.dll
                                                            • API String ID: 4061214504-1276376045
                                                            • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                            • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                                                            • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                            • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                                                            Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,004745A8,00414DB5,00000000,00000000,00000001), ref: 00404AED
                                                            • SetEvent.KERNEL32(00000304), ref: 00404AF9
                                                            • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404B04
                                                            • CloseHandle.KERNEL32(00000000), ref: 00404B0D
                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                            • String ID: KeepAlive | Disabled
                                                            • API String ID: 2993684571-305739064
                                                            • Opcode ID: 1c0c748ad9fecb0dd528124c77293d7db353f6adbd4e84571b4901e68838a0a9
                                                            • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                                                            • Opcode Fuzzy Hash: 1c0c748ad9fecb0dd528124c77293d7db353f6adbd4e84571b4901e68838a0a9
                                                            • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                                                            Function 00419F32 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                            • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                                                            • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                                                            • Sleep.KERNEL32(00002710), ref: 00419F79
                                                            • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: PlaySound$HandleLocalModuleSleepTime
                                                            • String ID: Alarm triggered
                                                            • API String ID: 614609389-2816303416
                                                            • Opcode ID: debb84a1251a9d4f253e7d3f2da0eb81be5ea948ed7eff08d43fd7d9de811cd2
                                                            • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                                                            • Opcode Fuzzy Hash: debb84a1251a9d4f253e7d3f2da0eb81be5ea948ed7eff08d43fd7d9de811cd2
                                                            • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                                                            Function 0041BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                                                            • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
                                                            • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
                                                            • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6
                                                            Strings
                                                            • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                            • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                            • API String ID: 3024135584-2418719853
                                                            • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                            • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                            • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                                            • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                            Function 0044016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                                            • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                                                            • Opcode Fuzzy Hash: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                                            • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                                                            Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                            • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                            • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                            • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                            • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                            • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                            • String ID:
                                                            • API String ID: 3525466593-0
                                                            • Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                            • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                                                            • Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                                            • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                                                            Function 00443098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free
                                                            • String ID:
                                                            • API String ID: 269201875-0
                                                            • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                            • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                                                            • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                            • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                                                            Function 0044FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E3ED,?,00000000,?,00000001,?,?,00000001,0043E3ED,?), ref: 0044FF20
                                                            • __alloca_probe_16.LIBCMT ref: 0044FF58
                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044FFA9
                                                            • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004399BF,?), ref: 0044FFBB
                                                            • __freea.LIBCMT ref: 0044FFC4
                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                            • String ID:
                                                            • API String ID: 313313983-0
                                                            • Opcode ID: 32ac3bd373e466217b4644ebee2ff76607fe703c26dcd28c1e1d2c5ecdebf3ce
                                                            • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                                                            • Opcode Fuzzy Hash: 32ac3bd373e466217b4644ebee2ff76607fe703c26dcd28c1e1d2c5ecdebf3ce
                                                            • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                                                            Function 0044E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                                              • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                                            • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                                                            • _free.LIBCMT ref: 0044E1A0
                                                            • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                            • String ID:
                                                            • API String ID: 336800556-0
                                                            • Opcode ID: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
                                                            • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                                                            • Opcode Fuzzy Hash: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
                                                            • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                                                            Function 00446F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLastError.KERNEL32(0000000A,0000000B,0000000A,00445359,00440A9B,00000000,?,?,?,?,00440C7E,00000000,0000000A,000000FF,0000000A,00000000), ref: 00446F48
                                                            • _free.LIBCMT ref: 00446F7D
                                                            • _free.LIBCMT ref: 00446FA4
                                                            • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FB1
                                                            • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FBA
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorLast$_free
                                                            • String ID:
                                                            • API String ID: 3170660625-0
                                                            • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                            • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                                                            • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                            • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                                                            Function 0041B37D Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                            • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                            • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041B3C8
                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
                                                            • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Process$CloseHandleOpen$FileImageName
                                                            • String ID:
                                                            • API String ID: 2951400881-0
                                                            • Opcode ID: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                                            • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                                                            • Opcode Fuzzy Hash: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                                            • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                                                            Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 0044F7B5
                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                            • _free.LIBCMT ref: 0044F7C7
                                                            • _free.LIBCMT ref: 0044F7D9
                                                            • _free.LIBCMT ref: 0044F7EB
                                                            • _free.LIBCMT ref: 0044F7FD
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                            • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                                                            • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                            • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                                                            Function 004432E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00443305
                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                            • _free.LIBCMT ref: 00443317
                                                            • _free.LIBCMT ref: 0044332A
                                                            • _free.LIBCMT ref: 0044333B
                                                            • _free.LIBCMT ref: 0044334C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free$ErrorFreeHeapLast
                                                            • String ID:
                                                            • API String ID: 776569668-0
                                                            • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                            • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                                                            • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                            • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                                                            Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                            • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                            • IsWindowVisible.USER32(?), ref: 004167A1
                                                              • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                                              • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ProcessWindow$Open$TextThreadVisible
                                                            • String ID: (FG
                                                            • API String ID: 3142014140-2273637114
                                                            • Opcode ID: 4740719a390b3ba9c6c78a6bb065e116e455b7124dca1e6ba6f29cda58230414
                                                            • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                                                            • Opcode Fuzzy Hash: 4740719a390b3ba9c6c78a6bb065e116e455b7124dca1e6ba6f29cda58230414
                                                            • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                                                            Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                              • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                              • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                              • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF
                                                              • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                            • String ID: XCG$`AG$>G
                                                            • API String ID: 2334542088-2372832151
                                                            • Opcode ID: 1cf10a0665e3775091c447b47999919f7d6db2360a149e937a3b08d82d1eeea5
                                                            • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                                                            • Opcode Fuzzy Hash: 1cf10a0665e3775091c447b47999919f7d6db2360a149e937a3b08d82d1eeea5
                                                            • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                                                            Function 004426D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe,00000104), ref: 00442714
                                                            • _free.LIBCMT ref: 004427DF
                                                            • _free.LIBCMT ref: 004427E9
                                                            Strings
                                                            • C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe, xrefs: 0044270B, 00442712, 00442741, 00442779
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: _free$FileModuleName
                                                            • String ID: C:\Users\user\Desktop\1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db5639506.dat-decoded.exe
                                                            • API String ID: 2506810119-2823010029
                                                            • Opcode ID: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                                            • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                                                            • Opcode Fuzzy Hash: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                                            • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                                                            Function 00404468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92synchronizationnetworkCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                            • WaitForSingleObject.KERNEL32(00000328,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                            • SetEvent.KERNEL32(00000328,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: EventObjectSingleWaitsend
                                                            • String ID: LAL
                                                            • API String ID: 3963590051-3302426157
                                                            • Opcode ID: 314c35cb7c3e0cdd1eb64e7b3ffc619a90be7dd70040102f0ebb66c8c0e95541
                                                            • Instruction ID: 68c7e6670e460543dd9c105572fcb78fed3a06f13f8c8b410ea91b680b50408d
                                                            • Opcode Fuzzy Hash: 314c35cb7c3e0cdd1eb64e7b3ffc619a90be7dd70040102f0ebb66c8c0e95541
                                                            • Instruction Fuzzy Hash: 192143B29001196BDF04BBA5DC96DEE777CFF54358B00013EF916B21E1EA78A604D6A4
                                                            Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                              • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,74DF3530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                                              • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                              • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                              • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                            • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                            • String ID: /sort "Visit Time" /stext "$8>G
                                                            • API String ID: 368326130-2663660666
                                                            • Opcode ID: f086c9f5da83253ac26c9d0f50b0703b97421a1697d77c47133a2e168226085d
                                                            • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                                                            • Opcode Fuzzy Hash: f086c9f5da83253ac26c9d0f50b0703b97421a1697d77c47133a2e168226085d
                                                            • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                                                            Function 0040C580 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 70COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041B58F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                                            • ShellExecuteW.SHELL32(?,open,00000000), ref: 0040C632
                                                            • ExitProcess.KERNEL32 ref: 0040C63E
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateExecuteExitFileProcessShell
                                                            • String ID: fso.DeleteFile(Wscript.ScriptFullName)$open
                                                            • API String ID: 2309964880-3562070623
                                                            • Opcode ID: 355b2c8b4db0139162816cdc4a3c049ca7e0b3ef8aa2afc8d6a7588b112dea38
                                                            • Instruction ID: 568fed376c07edf90cd2df9b8610832c68d616ac56d6d0e00b2c9eff25916ff3
                                                            • Opcode Fuzzy Hash: 355b2c8b4db0139162816cdc4a3c049ca7e0b3ef8aa2afc8d6a7588b112dea38
                                                            • Instruction Fuzzy Hash: 692145315042405AC324FB25E8969BF77E4AFD1319F50493FF482620F2EF38AA49C69A
                                                            Function 0040A876 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                            • wsprintfW.USER32 ref: 0040A905
                                                              • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: EventLocalTimewsprintf
                                                            • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                            • API String ID: 1497725170-1359877963
                                                            • Opcode ID: f1131f2c5aa9efe0aa35bfe1aadc190762ac6710f9a6fccd412707abd6ba0ca2
                                                            • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                                                            • Opcode Fuzzy Hash: f1131f2c5aa9efe0aa35bfe1aadc190762ac6710f9a6fccd412707abd6ba0ca2
                                                            • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                                                            Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                              • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                            • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                                                            • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                                                            • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CreateThread$LocalTime$wsprintf
                                                            • String ID: Online Keylogger Started
                                                            • API String ID: 112202259-1258561607
                                                            • Opcode ID: 74bbf1dd48c5cc06e207f48c4eb53604144d0a493703acba44df512efce14c16
                                                            • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                                                            • Opcode Fuzzy Hash: 74bbf1dd48c5cc06e207f48c4eb53604144d0a493703acba44df512efce14c16
                                                            • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                            Function 0044AA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
                                                            • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                                                            • __dosmaperr.LIBCMT ref: 0044AAFE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseErrorHandleLast__dosmaperr
                                                            • String ID: `@
                                                            • API String ID: 2583163307-951712118
                                                            • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                            • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                                                            • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                            • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                                                            Function 00419E89 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExistsFilePath
                                                            • String ID: TUF$alarm.wav$xIG
                                                            • API String ID: 1174141254-2188790166
                                                            • Opcode ID: 78a56aa9651363ee496944c99f45765e7eccc86df74fcc7e6b7799ffaff104a1
                                                            • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                                                            • Opcode Fuzzy Hash: 78a56aa9651363ee496944c99f45765e7eccc86df74fcc7e6b7799ffaff104a1
                                                            • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                                                            Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                            • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                            • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseEventHandleObjectSingleWait
                                                            • String ID: Connection Timeout
                                                            • API String ID: 2055531096-499159329
                                                            • Opcode ID: 021faa9111ab8834074a9e6104490ab3bec6bd23ae7819230539afb67bbeabe2
                                                            • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                                                            • Opcode Fuzzy Hash: 021faa9111ab8834074a9e6104490ab3bec6bd23ae7819230539afb67bbeabe2
                                                            • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                                                            Function 004016E8 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 45COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • waveInPrepareHeader.WINMM(007BE278,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
                                                            • waveInAddBuffer.WINMM(007BE278,00000020,?,00000000,00401913), ref: 0040175D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: wave$BufferHeaderPrepare
                                                            • String ID: T=G$x{
                                                            • API String ID: 2315374483-3589174691
                                                            • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                            • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                            • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                            • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                            Function 00412774 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegCreateKeyW.ADVAPI32(80000001,00000000,?), ref: 0041277F
                                                            • RegSetValueExW.ADVAPI32(?,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,HM{), ref: 004127AD
                                                            • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,HM{), ref: 004127B8
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseCreateValue
                                                            • String ID: pth_unenc
                                                            • API String ID: 1818849710-4028850238
                                                            • Opcode ID: 2b0b83c385fe9b11323970af50dff3bb0d924dce91bf1d9d78cbef32cf6cf5ea
                                                            • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                            • Opcode Fuzzy Hash: 2b0b83c385fe9b11323970af50dff3bb0d924dce91bf1d9d78cbef32cf6cf5ea
                                                            • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                            Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                            • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                              • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                                              • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                                                            • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                            • String ID: bad locale name
                                                            • API String ID: 3628047217-1405518554
                                                            • Opcode ID: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                                            • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                                                            • Opcode Fuzzy Hash: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                                            • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                                                            Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ExecuteShell
                                                            • String ID: /C $cmd.exe$open
                                                            • API String ID: 587946157-3896048727
                                                            • Opcode ID: ee6d09c7a5be61fc2c77f0fe381f15b1933766d643093560b744fac4f5f657b7
                                                            • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                            • Opcode Fuzzy Hash: ee6d09c7a5be61fc2c77f0fe381f15b1933766d643093560b744fac4f5f657b7
                                                            • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                            Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,HM{,004742F8,?,pth_unenc), ref: 0040AFC9
                                                            • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                            • TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: TerminateThread$HookUnhookWindows
                                                            • String ID: pth_unenc
                                                            • API String ID: 3123878439-4028850238
                                                            • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                            • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                                                            • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                            • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                                                            Function 00448D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: __alldvrm$_strrchr
                                                            • String ID:
                                                            • API String ID: 1036877536-0
                                                            • Opcode ID: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                                            • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                                                            • Opcode Fuzzy Hash: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                                            • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                                                            Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                                            • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                                                            • Opcode Fuzzy Hash: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                                            • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                                                            Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                            • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Sleep
                                                            • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                            • API String ID: 3472027048-1236744412
                                                            • Opcode ID: a28c998271a66f8567227a1897484aa15a4fe563e622933235ba73a641e0d975
                                                            • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                                                            • Opcode Fuzzy Hash: a28c998271a66f8567227a1897484aa15a4fe563e622933235ba73a641e0d975
                                                            • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                                                            Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                              • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                              • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                            • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: CloseOpenQuerySleepValue
                                                            • String ID: HM{$P{$exepath
                                                            • API String ID: 4119054056-2548741285
                                                            • Opcode ID: efcd0af1208699037f09edad500f6ec840cfbf7b9737e1f52f1688804d5b7727
                                                            • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                                                            • Opcode Fuzzy Hash: efcd0af1208699037f09edad500f6ec840cfbf7b9737e1f52f1688804d5b7727
                                                            • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                                                            Function 0041A98A Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: SystemTimes$Sleep__aulldiv
                                                            • String ID:
                                                            • API String ID: 188215759-0
                                                            • Opcode ID: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                            • Instruction ID: 3b66203fd79088dfadce72ddbf0b0401c54eb4bd27628439374ba0e7aa9136f0
                                                            • Opcode Fuzzy Hash: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                                            • Instruction Fuzzy Hash: 9D215E725083009BC304DF65D98589FB7E8EFC8654F044A2EF589D3251EA34EA49CB63
                                                            Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
                                                              • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                                              • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729
                                                            • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                            • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Window$SleepText$ForegroundLength
                                                            • String ID: [ $ ]
                                                            • API String ID: 3309952895-93608704
                                                            • Opcode ID: 92cb9d2a2d6bf6289d44fec474a7e000b4a54ab88b054bee990bed59a71b9a03
                                                            • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                                                            • Opcode Fuzzy Hash: 92cb9d2a2d6bf6289d44fec474a7e000b4a54ab88b054bee990bed59a71b9a03
                                                            • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                                                            Function 00442CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                            • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                                                            • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                            • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                                                            Function 00442D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                            Download Yara Rule
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID:
                                                            • API String ID:
                                                            • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                            • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                                                            • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                            • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                                                            Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                                              • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                                              • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                                                            • _UnwindNestedFrames.LIBCMT ref: 00438124
                                                            • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                                                            • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                            • String ID:
                                                            • API String ID: 737400349-0
                                                            • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                            • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                                                            • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                            • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                                                            Function 00447210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                                                            • GetLastError.KERNEL32(?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                                                            • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LibraryLoad$ErrorLast
                                                            • String ID:
                                                            • API String ID: 3177248105-0
                                                            • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                            • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                                                            • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                            • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                                                            Function 0041B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                                            • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B647
                                                            • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B66C
                                                            • CloseHandle.KERNEL32(00000000), ref: 0041B67A
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: File$CloseCreateHandleReadSize
                                                            • String ID:
                                                            • API String ID: 3919263394-0
                                                            • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                            • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                                                            • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                            • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                                                            Function 0041850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetSystemMetrics.USER32(0000004C), ref: 00418519
                                                            • GetSystemMetrics.USER32(0000004D), ref: 0041851F
                                                            • GetSystemMetrics.USER32(0000004E), ref: 00418525
                                                            • GetSystemMetrics.USER32(0000004F), ref: 0041852B
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: MetricsSystem
                                                            • String ID:
                                                            • API String ID: 4116985748-0
                                                            • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                            • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                                                            • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                                            • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                                                            Function 00441EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • __startOneArgErrorHandling.LIBCMT ref: 00441F6D
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorHandling__start
                                                            • String ID: pow
                                                            • API String ID: 3213639722-2276729525
                                                            • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                            • Instruction ID: c296867054112a427edbdd16b3baf579c6faf9d8481746a729c2ad46b2c40409
                                                            • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                            • Instruction Fuzzy Hash: 2A517B61A1620196F7117714C98137F2BD0DB50741F688D6BF085423F9DF3D8CDA9A4E
                                                            Function 0044DB34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Info
                                                            • String ID: $fD
                                                            • API String ID: 1807457897-3092946448
                                                            • Opcode ID: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                            • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                                                            • Opcode Fuzzy Hash: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                            • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                                                            Function 00417BDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417C08
                                                              • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                            • SHCreateMemStream.SHLWAPI(00000000), ref: 00417C55
                                                              • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                                              • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CCC), ref: 004177CE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                            • String ID: image/jpeg
                                                            • API String ID: 1291196975-3785015651
                                                            • Opcode ID: 8f3b30371828e1907736ebf26ac10b00a12ebc6a0bae61ebf375912b50c4f4ef
                                                            • Instruction ID: 3dbe320e324aa312c145f712c1d391ec03548c85c69305bb74e69b0931de3aa8
                                                            • Opcode Fuzzy Hash: 8f3b30371828e1907736ebf26ac10b00a12ebc6a0bae61ebf375912b50c4f4ef
                                                            • Instruction Fuzzy Hash: 13315C75508300AFC301AF65C884DAFBBF9FF8A704F000A2EF94597251DB79A905CBA6
                                                            Function 004508DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetACP.KERNEL32(?,20001004,?,00000002), ref: 004509B9
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID:
                                                            • String ID: ACP$OCP
                                                            • API String ID: 0-711371036
                                                            • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                            • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                                                            • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                            • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                                                            Function 00417CD9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417CF4
                                                              • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                            • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00417D19
                                                              • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                                              • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CCC), ref: 004177CE
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                            • String ID: image/png
                                                            • API String ID: 1291196975-2966254431
                                                            • Opcode ID: 3eb8dd80f54a72a5a0a9ed13ccec69a705e73992219fab643a786ff0acabb055
                                                            • Instruction ID: e3b7944e5392015f30009faa46d0af48502643625c308f0969f1fef2cb3c76d4
                                                            • Opcode Fuzzy Hash: 3eb8dd80f54a72a5a0a9ed13ccec69a705e73992219fab643a786ff0acabb055
                                                            • Instruction Fuzzy Hash: AA21A135204211AFC300AF61CC88CAFBBBDEFCA714F10052EF90693151DB399945CBA6
                                                            Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                            • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                            Strings
                                                            • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LocalTime
                                                            • String ID: KeepAlive | Enabled | Timeout:
                                                            • API String ID: 481472006-1507639952
                                                            • Opcode ID: 88f98e07624f0cdc5f5406798babcb05efc51bc28ea43e2309e29ec04d21d8db
                                                            • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                                                            • Opcode Fuzzy Hash: 88f98e07624f0cdc5f5406798babcb05efc51bc28ea43e2309e29ec04d21d8db
                                                            • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                                                            Function 0041A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LocalTime
                                                            • String ID: | $%02i:%02i:%02i:%03i
                                                            • API String ID: 481472006-2430845779
                                                            • Opcode ID: 9b95a0a033af4e6b3b54331b4a103e7e6270c3a9d1cca9dd8a72674f32e816fd
                                                            • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                                                            • Opcode Fuzzy Hash: 9b95a0a033af4e6b3b54331b4a103e7e6270c3a9d1cca9dd8a72674f32e816fd
                                                            • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                                                            Function 004125EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412612
                                                            • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412648
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: QueryValue
                                                            • String ID: TUF
                                                            • API String ID: 3660427363-3431404234
                                                            • Opcode ID: ea05bdfc88d730103140c1813835b768b0c4990d0bb52d9cb4e5ffcfc942b32d
                                                            • Instruction ID: 62a4949b47554db758ef5e9b715c6ec4cc130d120bf99ac1ec1555789b8052d8
                                                            • Opcode Fuzzy Hash: ea05bdfc88d730103140c1813835b768b0c4990d0bb52d9cb4e5ffcfc942b32d
                                                            • Instruction Fuzzy Hash: BC01A7B6A00108BFDB049B95DD46EFF7ABDDF44240F10007AF901E2251E6749F009664
                                                            Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                            Download Yara Rule
                                                            APIs
                                                              • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                              • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                              • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                                            • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                            • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                            • String ID: Online Keylogger Stopped
                                                            • API String ID: 1623830855-1496645233
                                                            • Opcode ID: fe6e18c6252a0bee342ef941cd7d9d06612fb05f1df7cb5e72a2689b447559bc
                                                            • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                                                            • Opcode Fuzzy Hash: fe6e18c6252a0bee342ef941cd7d9d06612fb05f1df7cb5e72a2689b447559bc
                                                            • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                                                            Function 00447790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: LocaleValid
                                                            • String ID: IsValidLocaleName$j=D
                                                            • API String ID: 1901932003-3128777819
                                                            • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                            • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                                                            • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                            • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                                                            Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: H_prolog
                                                            • String ID: T=G$T=G
                                                            • API String ID: 3519838083-3732185208
                                                            • Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                            • Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
                                                            • Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                                            • Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D
                                                            Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                              • Part of subcall function 00409B10: GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                                              • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                              • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                              • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                              • Part of subcall function 00409B10: GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                                              • Part of subcall function 00409B10: ToUnicodeEx.USER32(0047414C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                              • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                              • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                            • String ID: [AltL]$[AltR]
                                                            • API String ID: 2738857842-2658077756
                                                            • Opcode ID: 0fd097a0a4b99d70b02a08e9004214b89ee8ccd3163f9cf7526c1a47b2b50f16
                                                            • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                            • Opcode Fuzzy Hash: 0fd097a0a4b99d70b02a08e9004214b89ee8ccd3163f9cf7526c1a47b2b50f16
                                                            • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                            Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • _free.LIBCMT ref: 00448825
                                                              • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                                              • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ErrorFreeHeapLast_free
                                                            • String ID: `@$`@
                                                            • API String ID: 1353095263-20545824
                                                            • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                            • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                                                            • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                            • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                                                            Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: State
                                                            • String ID: [CtrlL]$[CtrlR]
                                                            • API String ID: 1649606143-2446555240
                                                            • Opcode ID: 8f256fbae12a6d1972e20e0d193ff0540306bf2bf736503aba8af0ee0077a29a
                                                            • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                            • Opcode Fuzzy Hash: 8f256fbae12a6d1972e20e0d193ff0540306bf2bf736503aba8af0ee0077a29a
                                                            • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                            Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,HM{,004742F8,?,pth_unenc), ref: 00412988
                                                            • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998
                                                            Strings
                                                            • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: DeleteOpenValue
                                                            • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                            • API String ID: 2654517830-1051519024
                                                            • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                            • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                            • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                            • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                            Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                                                            • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: DeleteDirectoryFileRemove
                                                            • String ID: pth_unenc
                                                            • API String ID: 3325800564-4028850238
                                                            • Opcode ID: 2e8d6704218f96b318e7a73bad0b28a6b8edcd2455483e95ffe0dafda84626ef
                                                            • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                                                            • Opcode Fuzzy Hash: 2e8d6704218f96b318e7a73bad0b28a6b8edcd2455483e95ffe0dafda84626ef
                                                            • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                                                            Function 00411699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                            Download Yara Rule
                                                            APIs
                                                            • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                            • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                            Strings
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ObjectProcessSingleTerminateWait
                                                            • String ID: pth_unenc
                                                            • API String ID: 1872346434-4028850238
                                                            • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                            • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                                                            • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                            • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                                                            Function 0043FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                            Download Yara Rule
                                                            APIs
                                                            • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                                                            • GetLastError.KERNEL32 ref: 0043FB02
                                                            • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                                                            Memory Dump Source
                                                            • Source File: 00000000.00000002.4114946090.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                            • Associated: 00000000.00000002.4114933125.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114981311.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4114999682.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                            • Associated: 00000000.00000002.4115025574.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                            Joe Sandbox IDA Plugin
                                                            • Snapshot File: hcaresult_0_2_400000_1732748284fd56a2da13edf4ae4b865c44fa6834581d27eb2edbfe3fc50ef131cb95db.jbxd
                                                            Yara matches
                                                            Similarity
                                                            • API ID: ByteCharMultiWide$ErrorLast
                                                            • String ID:
                                                            • API String ID: 1717984340-0
                                                            • Opcode ID: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                                            • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                                                            • Opcode Fuzzy Hash: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                                            • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759