Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe

Overview

General Information

Sample name:173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe
Analysis ID:1569883
MD5:3150fd280a5ac05126b16f78e2f14146
SHA1:80a9c99d50833aa770a6fc2a535723f723d70d7d
SHA256:f4630dcd34523d361a969a4e06633b9fc000849b34c55b59f72ae41aec0f182f
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for sample
Opens the same file many times (likely Sandbox evasion)
Uses dynamic DNS services
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
May sleep (evasive loops) to hinder dynamic analysis
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["ahmedahmed.ddns.net:6426:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-SEVL3E", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aaf8:$a1: Remcos restarted by watchdog!
        • 0x6b070:$a3: %02i:%02i:%02i:%03i
        173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64e04:$str_b2: Executing file:
        • 0x65c3c:$str_b3: GetDirectListeningPort
        • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65780:$str_b7: \update.vbs
        • 0x64e2c:$str_b9: Downloaded file:
        • 0x64e18:$str_b10: Downloading file:
        • 0x64ebc:$str_b12: Failed to upload file:
        • 0x65c04:$str_b13: StartForward
        • 0x65c24:$str_b14: StopForward
        • 0x656d8:$str_b15: fso.DeleteFile "
        • 0x6566c:$str_b16: On Error Resume Next
        • 0x65708:$str_b17: fso.DeleteFolder "
        • 0x64eac:$str_b18: Uploaded file:
        • 0x64e6c:$str_b19: Unable to delete:
        • 0x656a0:$str_b20: while fso.FileExists("
        • 0x65349:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.3883361373.00000000022FF000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000000.00000000.1422543565.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              00000000.00000000.1422543565.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                00000000.00000000.1422543565.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  00000000.00000000.1422543565.0000000000457000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x146f8:$a1: Remcos restarted by watchdog!
                  • 0x14c70:$a3: %02i:%02i:%02i:%03i
                  Click to see the 9 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.2.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                    0.2.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                      0.2.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                        0.0.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                          0.0.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                            Click to see the 7 entries

                            Sigma Signatures

                            Stealing of Sensitive Information

                            barindex
                            Sigma detected: Remcos
                            Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe, ProcessId: 7440, TargetFilename: C:\ProgramData\remcos\logs.dat

                            Suricata Signatures

                            No Suricata rule has matched

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeAvira: detected
                            Antivirus detection for URL or domain
                            Source: ahmedahmed.ddns.netAvira URL Cloud: Label: malware
                            Found malware configuration
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeMalware Configuration Extractor: Remcos {"Host:Port:Password": ["ahmedahmed.ddns.net:6426:1"], "Assigned name": "RemoteHost", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-SEVL3E", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                            Multi AV Scanner detection for submitted file
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeReversingLabs: Detection: 71%
                            Yara detected Remcos RAT
                            Source: Yara matchFile source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.2.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.3883361373.00000000022FF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1422543565.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.3883160443.000000000086E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe PID: 7440, type: MEMORYSTR
                            Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 97.2% probability
                            Machine Learning detection for sample
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeJoe Sandbox ML: detected
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_0043293A
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe, 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_4d421289-0

                            Exploits

                            barindex
                            Yara detected UAC Bypass using CMSTP
                            Source: Yara matchFile source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.2.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1422543565.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe PID: 7440, type: MEMORYSTR

                            Privilege Escalation

                            barindex
                            Contains functionality to bypass UAC (CMSTPLUA)
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00406764 _wcslen,CoGetObject,0_2_00406764
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B42F
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0044D5E9 FindFirstFileExA,0_2_0044D5E9
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C69
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06

                            Networking

                            barindex
                            C2 URLs / IPs found in malware configuration
                            Source: Malware configuration extractorURLs: ahmedahmed.ddns.net
                            Uses dynamic DNS services
                            Source: unknownDNS query: name: ahmedahmed.ddns.net
                            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_004260F7 recv,0_2_004260F7
                            Source: global trafficDNS traffic detected: DNS query: ahmedahmed.ddns.net
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C

                            Key, Mouse, Clipboard, Microphone and Screen Capturing

                            barindex
                            Contains functionality to register a low level keyboard hook
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000000_2_004099E4
                            Installs a global keyboard hook
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeJump to behavior
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_00409B10
                            Source: Yara matchFile source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.2.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1422543565.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe PID: 7440, type: MEMORYSTR

                            E-Banking Fraud

                            barindex
                            Yara detected Remcos RAT
                            Source: Yara matchFile source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.2.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.3883361373.00000000022FF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1422543565.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.3883160443.000000000086E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe PID: 7440, type: MEMORYSTR
                            Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                            Spam, unwanted Advertisements and Ransom Demands

                            barindex
                            Contains functionalty to change the wallpaper
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0041BB77 SystemParametersInfoW,0_2_0041BB77

                            System Summary

                            barindex
                            Malicious sample detected (through community Yara rule)
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 0.2.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 0.0.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 0.2.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 0.2.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 0.0.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                            Source: 0.0.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                            Source: 00000000.00000000.1422543565.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: Process Memory Space: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe PID: 7440, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeProcess Stats: CPU usage > 49%
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041ACC1
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,0_2_0041ACED
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004158B9
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0041D0710_2_0041D071
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_004520D20_2_004520D2
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0043D0980_2_0043D098
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_004371500_2_00437150
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_004361AA0_2_004361AA
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_004262540_2_00426254
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_004313770_2_00431377
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0043651C0_2_0043651C
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0041E5DF0_2_0041E5DF
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0044C7390_2_0044C739
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_004367C60_2_004367C6
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_004267CB0_2_004267CB
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0043C9DD0_2_0043C9DD
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00432A490_2_00432A49
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00436A8D0_2_00436A8D
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0043CC0C0_2_0043CC0C
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00436D480_2_00436D48
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00434D220_2_00434D22
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00426E730_2_00426E73
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00440E200_2_00440E20
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0043CE3B0_2_0043CE3B
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00412F450_2_00412F45
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00452F000_2_00452F00
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00426FAD0_2_00426FAD
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: String function: 00401F66 appears 50 times
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: String function: 004020E7 appears 40 times
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: String function: 004338A5 appears 42 times
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: String function: 00433FB0 appears 55 times
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 0.2.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 0.0.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 0.2.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 0.2.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 0.0.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                            Source: 0.0.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                            Source: 00000000.00000000.1422543565.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: Process Memory Space: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe PID: 7440, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                            Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/1@1/0
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00416AB7
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040E219
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041A63F
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BC4
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-SEVL3E
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: Software\0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: Rmc-SEVL3E0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: Exe0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: Exe0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: Rmc-SEVL3E0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: 0DG0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: Inj0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: Inj0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: BG0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: BG0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: BG0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: @CG0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: BG0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: exepath0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: @CG0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: exepath0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: BG0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: licence0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: `=G0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: dCG0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: Administrator0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: User0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: del0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: del0_2_0040D767
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCommand line argument: del0_2_0040D767
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeReversingLabs: Detection: 71%
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_004567E0 push eax; ret 0_2_004567FE
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00455EAF push ecx; ret 0_2_00455EC2
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00433FF6 push ecx; ret 0_2_00434009
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00406128 ShellExecuteW,URLDownloadToFileW,0_2_00406128
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BC4
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                            Malware Analysis System Evasion

                            barindex
                            Delayed program exit found
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0040E54F Sleep,ExitProcess,0_2_0040E54F
                            Opens the same file many times (likely Sandbox evasion)
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeFile opened: \Device\RasAcd count: 82015Jump to behavior
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_004198C2
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeWindow / User API: threadDelayed 851Jump to behavior
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeWindow / User API: threadDelayed 5435Jump to behavior
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeWindow / User API: foregroundWindowGot 1691Jump to behavior
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeAPI coverage: 9.1 %
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe TID: 7464Thread sleep count: 112 > 30Jump to behavior
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe TID: 7464Thread sleep time: -56000s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe TID: 7468Thread sleep count: 851 > 30Jump to behavior
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe TID: 7468Thread sleep time: -2553000s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe TID: 7444Thread sleep count: 173 > 30Jump to behavior
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe TID: 7444Thread sleep time: -173000s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe TID: 7468Thread sleep count: 5435 > 30Jump to behavior
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe TID: 7468Thread sleep time: -16305000s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B42F
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0044D5E9 FindFirstFileExA,0_2_0044D5E9
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C69
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe, 00000000.00000002.3883160443.000000000086E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_0-47546
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A65D
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00442554 mov eax, dword ptr fs:[00000030h]0_2_00442554
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0044E92E GetProcessHeap,0_2_0044E92E
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00434168
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A65D
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00433B44
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00433CD7 SetUnhandledExceptionFilter,0_2_00433CD7
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00410F36
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00418754 mouse_event,0_2_00418754
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe, 00000000.00000002.3883160443.000000000086E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe, 00000000.00000002.3883160443.00000000008C0000.00000004.00000020.00020000.00000000.sdmp, 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe, 00000000.00000002.3883160443.000000000086E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageret
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe, 00000000.00000002.3883160443.000000000086E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3E\
                            Source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe, 00000000.00000002.3883160443.000000000086E000.00000004.00000020.00020000.00000000.sdmp, logs.dat.0.drBinary or memory string: [Program Manager]
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00433E0A cpuid 0_2_00433E0A
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_004470AE
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004510BA
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004511E3
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004512EA
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004513B7
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: GetLocaleInfoW,0_2_00447597
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: GetLocaleInfoA,0_2_0040E679
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00450A7F
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450CF7
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450D42
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450DDD
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00450E6A
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_00434010 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,0_2_00434010
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0041A7A2 GetComputerNameExW,GetUserNameW,0_2_0041A7A2
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: 0_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0044800F

                            Stealing of Sensitive Information

                            barindex
                            Yara detected Remcos RAT
                            Source: Yara matchFile source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.2.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.3883361373.00000000022FF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1422543565.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.3883160443.000000000086E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe PID: 7440, type: MEMORYSTR
                            Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                            Contains functionality to steal Chrome passwords or cookies
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040B21B
                            Contains functionality to steal Firefox passwords or cookies
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040B335
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: \key3.db0_2_0040B335

                            Remote Access Functionality

                            barindex
                            Detected Remcos RAT
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-SEVL3EJump to behavior
                            Yara detected Remcos RAT
                            Source: Yara matchFile source: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.2.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 0.0.173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000002.3883361373.00000000022FF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000000.1422543565.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.3883160443.000000000086E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe PID: 7440, type: MEMORYSTR
                            Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                            Source: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exeCode function: cmd.exe0_2_00405042

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                            Native API                            		1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		1
                            Deobfuscate/Decode Files or Information                            		1
                            OS Credential Dumping                            		2
                            System Time Discovery                            		Remote Services11
                            Archive Collected Data                            		11
                            Ingress Tool Transfer                            		Exfiltration Over Other Network Medium1
                            System Shutdown/Reboot
                            CredentialsDomainsDefault Accounts12
                            Command and Scripting Interpreter                            		1
                            Windows Service                            		1
                            Bypass User Account Control                            		2
                            Obfuscated Files or Information                            		211
                            Input Capture                            		1
                            Account Discovery                            		Remote Desktop Protocol211
                            Input Capture                            		2
                            Encrypted Channel                            		Exfiltration Over Bluetooth1
                            Defacement
                            Email AddressesDNS ServerDomain Accounts2
                            Service Execution                            		Logon Script (Windows)1
                            Access Token Manipulation                            		1
                            DLL Side-Loading                            		2
                            Credentials In Files                            		1
                            System Service Discovery                            		SMB/Windows Admin Shares3
                            Clipboard Data                            		1
                            Remote Access Software                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                            Windows Service                            		1
                            Bypass User Account Control                            		NTDS2
                            File and Directory Discovery                            		Distributed Component Object ModelInput Capture1
                            Non-Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                            Process Injection                            		11
                            Virtualization/Sandbox Evasion                            		LSA Secrets22
                            System Information Discovery                            		SSHKeylogging21
                            Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            Access Token Manipulation                            		Cached Domain Credentials21
                            Security Software Discovery                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                            Process Injection                            		DCSync11
                            Virtualization/Sandbox Evasion                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem2
                            Process Discovery                            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                            Application Window Discovery                            		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                            System Owner/User Discovery                            		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe71%ReversingLabsWin32.Backdoor.Remcos
                            173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                            173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe100%Joe Sandbox ML

                            Dropped Files

                            No Antivirus matches

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            No Antivirus matches

                            URLs

                            SourceDetectionScannerLabelLink
                            ahmedahmed.ddns.net100%Avira URL Cloudmalware

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            ahmedahmed.ddns.net
                            		0.0.0.0
                            		truetrue
                              		unknown
                              fp2e7a.wpc.phicdn.net
                              		192.229.221.95
                              		truefalse
                                		high

                                Contacted URLs

                                NameMaliciousAntivirus DetectionReputation
                                ahmedahmed.ddns.nettrue
                                • Avira URL Cloud: malware
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://geoplugin.net/json.gp173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exefalse
                                  		high
                                  http://geoplugin.net/json.gp/C173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exefalse
                                    		high

                                    World Map of Contacted IPs

                                    No contacted IP infos

                                    General Information

                                    Joe Sandbox version:41.0.0 Charoite
                                    Analysis ID:1569883
                                    Start date and time:2024-12-06 11:09:59 +01:00
                                    Joe Sandbox product:CloudBasic
                                    Overall analysis duration:0h 6m 56s
                                    Hypervisor based Inspection enabled:false
                                    Report type:full
                                    Cookbook file name:default.jbs
                                    Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                    Number of analysed new started processes analysed:6
                                    Number of new started drivers analysed:0
                                    Number of existing processes analysed:0
                                    Number of existing drivers analysed:0
                                    Number of injected processes analysed:0
                                    Technologies:
                                    • HCA enabled
                                    • EGA enabled
                                    • AMSI enabled
                                    Analysis Mode:default
                                    Analysis stop reason:Timeout
                                    Sample name:173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe
                                    Detection:MAL
                                    Classification:mal100.rans.troj.spyw.expl.evad.winEXE@1/1@1/0
                                    EGA Information:
                                    • Successful, ratio: 100%
                                    HCA Information:
                                    • Successful, ratio: 100%
                                    • Number of executed functions: 26
                                    • Number of non-executed functions: 207
                                    Cookbook Comments:
                                    • Found application associated with file extension: .exe
                                    • Override analysis time to 240000 for current running targets taking high CPU consumption

                                    Warnings

                                    • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                    • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                    • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ocsp.edge.digicert.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                    • Not all processes where analyzed, report is missing behavior information
                                    • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                    • VT rate limit hit for: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe

                                    Simulations

                                    Behavior and APIs

                                    TimeTypeDescription
                                    05:11:27API Interceptor2228569x Sleep call for process: 173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe modified

                                    Joe Sandbox View / Context

                                    IPs

                                    No context

                                    Domains

                                    MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                    ahmedahmed.ddns.netnr101612_Order.wsfGet hashmaliciousRemcosBrowse
                                    • 0.0.0.0
                                    1099833039444.pdf.jsGet hashmaliciousRemcosBrowse
                                    • 160.25.73.25
                                    fp2e7a.wpc.phicdn.netSimple2.exeGet hashmaliciousUnknownBrowse
                                    • 192.229.221.95
                                    Fiyat Teklifi_2038900001-MOKAPTO-06122024.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                    • 192.229.221.95
                                    16547.jsGet hashmaliciousMassLogger RATBrowse
                                    • 192.229.221.95
                                    file.exeGet hashmaliciousAmadey, Stealc, VidarBrowse
                                    • 192.229.221.95
                                    file.exeGet hashmaliciousStealcBrowse
                                    • 192.229.221.95
                                    file.exeGet hashmaliciousLummaC StealerBrowse
                                    • 192.229.221.95
                                    XE5p2qNoWt.exeGet hashmaliciousLokibot, PureLog Stealer, zgRATBrowse
                                    • 192.229.221.95
                                    https://ness.wiktripfitness.com/ghjki9l-8765t4/3/er4t5y6u7jyhtgrfefrgthyjuyhtgdsarfedwsqaGet hashmaliciousUnknownBrowse
                                    • 192.229.221.95
                                    izCOFC8OWh.exeGet hashmaliciousUnknownBrowse
                                    • 192.229.221.95
                                    TPDKSYfEac.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                    • 192.229.221.95

                                    ASNs

                                    No context

                                    JA3 Fingerprints

                                    No context

                                    Dropped Files

                                    No context

                                    Created / dropped Files

                                    C:\ProgramData\remcos\logs.dat

                                    Download File
                                    Process:C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe
                                    File Type:data
                                    Category:dropped
                                    Size (bytes):144
                                    Entropy (8bit):3.3603882199736725
                                    Encrypted:false
                                    SSDEEP:3:rhlKlyKxleUlVfab5JWRal2Jl+7R0DAlBG45klovDl6v:6lZCUnab5YcIeeDAlOWAv
                                    MD5:727942241884A4F032F563B1A18042ED
                                    SHA1:89D9E8D76A6F552150F960E3566D5ED62D61CC23
                                    SHA-256:8B40D3731ED6CC64F80C1CE86D80E1661138EAACA071DE738BF1BBEF60C3D949
                                    SHA-512:5A822B2B70FB5493CA80ACF63F7F1D7727DC9D491F106E175862E9F7C8775F6B64613717FC98B6F1D4F7462D33B3590D275F963930D4BDED54EFDA95119F1D5A
                                    Malicious:true
                                    Yara Hits:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                    Reputation:low
                                    Preview:....[.2.0.2.4./.1.2./.0.6. .0.5.:.1.0.:.5.5. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                    Static File Info

                                    General

                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                    Entropy (8bit):6.586516640347461
                                    TrID:
                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                    • DOS Executable Generic (2002/1) 0.02%
                                    • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                    File name:173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe
                                    File size:493'056 bytes
                                    MD5:3150fd280a5ac05126b16f78e2f14146
                                    SHA1:80a9c99d50833aa770a6fc2a535723f723d70d7d
                                    SHA256:f4630dcd34523d361a969a4e06633b9fc000849b34c55b59f72ae41aec0f182f
                                    SHA512:3207e9b3c5b39745b99efa4109c96b193ab70e0abbee6b2fc2a323781a72fea3ce7d73395c57d0bf7262b58ffc2cd461f58da0574d866c312ed0418ecb5f8c8d
                                    SSDEEP:12288:7uD09AUkNIGBYYv4eK13x13nZHSRVMf139F5wIB7+IwtHwBtVxbesvZDS/+DY:+09AfNIEYsunZvZ19Zgs
                                    TLSH:0BA4BF01B6D2C072D57625300D26E775DEBDBD212835897BB3DA1D67FE30180E63AAB2
                                    File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H....(..H....*..H....+..H...0]..H..&....H... ...H... ...H... ...H...0J..H...H...I...!...H...!&..H...!...H..Rich.H.

                                    File Icon

                                    Icon Hash:95694d05214c1b33

                                    Static PE Info

                                    General

                                    Entrypoint:0x433b3a
                                    Entrypoint Section:.text
                                    Digitally signed:false
                                    Imagebase:0x400000
                                    Subsystem:windows gui
                                    Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                    DLL Characteristics:TERMINAL_SERVER_AWARE
                                    Time Stamp:0x6724916B [Fri Nov 1 08:29:31 2024 UTC]
                                    TLS Callbacks:
                                    CLR (.Net) Version:
                                    OS Version Major:5
                                    OS Version Minor:1
                                    File Version Major:5
                                    File Version Minor:1
                                    Subsystem Version Major:5
                                    Subsystem Version Minor:1
                                    Import Hash:e77512f955eaf60ccff45e02d69234de

                                    Entrypoint Preview

                                    Instruction
                                    call 00007FC44CE41103h
                                    jmp 00007FC44CE40A5Fh
                                    push ebp
                                    mov ebp, esp
                                    sub esp, 00000324h
                                    push ebx
                                    push 00000017h
                                    call 00007FC44CE62F39h
                                    test eax, eax
                                    je 00007FC44CE40BE7h
                                    mov ecx, dword ptr [ebp+08h]
                                    int 29h
                                    push 00000003h
                                    call 00007FC44CE40DA4h
                                    mov dword ptr [esp], 000002CCh
                                    lea eax, dword ptr [ebp-00000324h]
                                    push 00000000h
                                    push eax
                                    call 00007FC44CE430BBh
                                    add esp, 0Ch
                                    mov dword ptr [ebp-00000274h], eax
                                    mov dword ptr [ebp-00000278h], ecx
                                    mov dword ptr [ebp-0000027Ch], edx
                                    mov dword ptr [ebp-00000280h], ebx
                                    mov dword ptr [ebp-00000284h], esi
                                    mov dword ptr [ebp-00000288h], edi
                                    mov word ptr [ebp-0000025Ch], ss
                                    mov word ptr [ebp-00000268h], cs
                                    mov word ptr [ebp-0000028Ch], ds
                                    mov word ptr [ebp-00000290h], es
                                    mov word ptr [ebp-00000294h], fs
                                    mov word ptr [ebp-00000298h], gs
                                    pushfd
                                    pop dword ptr [ebp-00000264h]
                                    mov eax, dword ptr [ebp+04h]
                                    mov dword ptr [ebp-0000026Ch], eax
                                    lea eax, dword ptr [ebp+04h]
                                    mov dword ptr [ebp-00000260h], eax
                                    mov dword ptr [ebp-00000324h], 00010001h
                                    mov eax, dword ptr [eax-04h]
                                    push 00000050h
                                    mov dword ptr [ebp-00000270h], eax
                                    lea eax, dword ptr [ebp-58h]
                                    push 00000000h
                                    push eax
                                    call 00007FC44CE43031h

                                    Rich Headers

                                    Programming Language:
                                    • [C++] VS2008 SP1 build 30729
                                    • [IMP] VS2008 SP1 build 30729

                                    Data Directories

                                    NameVirtual AddressVirtual Size Is in Section
                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x6e0200x104.rdata
                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x4b5c.rsrc
                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x7b0000x3b80.reloc
                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x6c5100x38.rdata
                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_TLS0x6c5e80x18.rdata
                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6c5480x40.rdata
                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_IAT0x570000x4f4.rdata
                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                    Sections

                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                    .text0x10000x55f1d0x5600030cda225e02a0d4dab478a6c7c094860False0.5738610555959303data6.62127843313247IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                    .rdata0x570000x18b000x18c009800e1a5325bb58aa054e318c8bb055aFalse0.49812578914141414OpenPGP Secret Key Version 65.758930104385571IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .data0x700000x5d6c0xe0006414e748130e7e668ba2ba172d63448False0.22684151785714285data3.093339598098017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                    .rsrc0x760000x4b5c0x4c00dc0c6e2496d3577e5992c3df56690e2dFalse0.2845908717105263data3.9898298269918544IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                    .reloc0x7b0000x3b800x3c003a880743591ae3410d0dc26d7322ddd0False0.7569661458333333data6.695050823503309IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                    Resources

                                    NameRVASizeTypeLanguageCountryZLIB Complexity
                                    RT_ICON0x7618c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                    RT_ICON0x765f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                    RT_ICON0x76f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                    RT_ICON0x780240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                    RT_RCDATA0x7a5cc0x550data1.0080882352941176
                                    RT_GROUP_ICON0x7ab1c0x3edataEnglishUnited States0.8064516129032258

                                    Imports

                                    DLLImport
                                    KERNEL32.dllExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, LoadLibraryA, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, SetConsoleOutputCP, FormatMessageA, FindFirstFileA, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, HeapReAlloc, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetACP, GetModuleHandleExW, MoveFileExW, LoadLibraryExW, RaiseException, RtlUnwind, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, MultiByteToWideChar, DecodePointer, EncodePointer, TlsFree, TlsSetValue, GetFileSize, TerminateThread, GetLastError, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, CreateDirectoryW, GetLogicalDriveStringsA, DeleteFileW, FindNextFileA, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, GetProcAddress, CreateMutexA, GetCurrentProcess, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, FindNextVolumeW, TlsGetValue, TlsAlloc, SwitchToThread, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, InitializeCriticalSectionAndSpinCount, SetEndOfFile
                                    USER32.dllDefWindowProcA, TranslateMessage, DispatchMessageA, GetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CreateWindowExA, SendInput, EnumDisplaySettingsW, mouse_event, MapVirtualKeyA, TrackPopupMenu, CreatePopupMenu, AppendMenuA, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetIconInfo, GetSystemMetrics, CloseWindow, DrawIcon
                                    GDI32.dllBitBlt, CreateCompatibleBitmap, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteDC, DeleteObject, CreateDCA, GetObjectA, SelectObject
                                    ADVAPI32.dllLookupPrivilegeValueA, CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, RegDeleteKeyA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW
                                    SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                    ole32.dllCoInitializeEx, CoGetObject, CoUninitialize
                                    SHLWAPI.dllStrToIntA, PathFileExistsW, PathFileExistsA
                                    WINMM.dllmciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInStart, waveInUnprepareHeader, waveInOpen, waveInAddBuffer, waveInPrepareHeader, PlaySoundW
                                    WS2_32.dllsend, WSAStartup, socket, connect, WSAGetLastError, recv, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, gethostbyname
                                    urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                                    gdiplus.dllGdipAlloc, GdiplusStartup, GdipGetImageEncoders, GdipLoadImageFromStream, GdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipCloneImage
                                    WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                                    Possible Origin

                                    Language of compilation systemCountry where language is spokenMap
                                    EnglishUnited States

                                    Network Behavior

                                    Network Port Distribution

                                    UDP Packets

                                    TimestampSource PortDest PortSource IPDest IP
                                    Dec 6, 2024 11:10:56.937783957 CET5695353192.168.2.81.1.1.1
                                    Dec 6, 2024 11:10:57.152064085 CET53569531.1.1.1192.168.2.8

                                    DNS Queries

                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                    Dec 6, 2024 11:10:56.937783957 CET192.168.2.81.1.1.10xf595Standard query (0)ahmedahmed.ddns.netA (IP address)IN (0x0001)false

                                    DNS Answers

                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                    Dec 6, 2024 11:10:57.152064085 CET1.1.1.1192.168.2.80xf595No error (0)ahmedahmed.ddns.net0.0.0.0A (IP address)IN (0x0001)false
                                    Dec 6, 2024 11:12:18.120526075 CET1.1.1.1192.168.2.80xe293No error (0)fp2e7a.wpc.2be4.phicdn.netfp2e7a.wpc.phicdn.netCNAME (Canonical name)IN (0x0001)false
                                    Dec 6, 2024 11:12:18.120526075 CET1.1.1.1192.168.2.80xe293No error (0)fp2e7a.wpc.phicdn.net192.229.221.95A (IP address)IN (0x0001)false

                                    Statistics

                                    CPU Usage

                                    Click to jump to process

                                    Memory Usage

                                    Click to jump to process

                                    High Level Behavior Distribution

                                    Click to dive into process behavior distribution

                                    System Behavior

                                    General

                                    Target ID:0
                                    Start time:05:10:55
                                    Start date:06/12/2024
                                    Path:C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe
                                    Wow64 process (32bit):true
                                    Commandline:"C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe"
                                    Imagebase:0x400000
                                    File size:493'056 bytes
                                    MD5 hash:3150FD280A5AC05126B16F78E2F14146
                                    Has elevated privileges:true
                                    Has administrator privileges:true
                                    Programmed in:C, C++ or other language
                                    Yara matches:
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.3883361373.00000000022FF000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.1422543565.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.1422543565.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.1422543565.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.1422543565.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                    • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                    • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                    • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.3883160443.000000000086E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                    Reputation:low
                                    Has exited:false

                                    Disassembly

                                    Reset < >

                                      Execution Graph

                                      Execution Coverage:2.9%
                                      Dynamic/Decrypted Code Coverage:0%
                                      Signature Coverage:28.2%
                                      Total number of Nodes:984
                                      Total number of Limit Nodes:37
                                      execution_graph 46313 43a998 46314 43a9a4 _swprintf ___scrt_is_nonwritable_in_current_image 46313->46314 46315 43a9b2 46314->46315 46319 43a9dc 46314->46319 46331 445354 20 API calls __dosmaperr 46315->46331 46317 43a9b7 46332 43a827 26 API calls _Deallocate 46317->46332 46326 444acc EnterCriticalSection 46319->46326 46321 43a9e7 46327 43aa88 46321->46327 46323 43a9c2 std::_Locinfo::_Locinfo_dtor 46326->46321 46329 43aa96 46327->46329 46328 43a9f2 46333 43aa0f LeaveCriticalSection std::_Lockit::~_Lockit 46328->46333 46329->46328 46334 448416 39 API calls 2 library calls 46329->46334 46331->46317 46332->46323 46333->46323 46334->46329 46335 402bcc 46336 402bd7 46335->46336 46337 402bdf 46335->46337 46353 403315 28 API calls 2 library calls 46336->46353 46339 402beb 46337->46339 46343 4015d3 46337->46343 46340 402bdd 46345 43360d 46343->46345 46346 402be9 46345->46346 46349 43362e std::_Facet_Register 46345->46349 46354 43a88c 46345->46354 46361 442200 7 API calls 2 library calls 46345->46361 46348 433dec std::_Facet_Register 46363 437bd7 RaiseException 46348->46363 46349->46348 46362 437bd7 RaiseException 46349->46362 46352 433e09 46353->46340 46359 446aff _strftime 46354->46359 46355 446b3d 46365 445354 20 API calls __dosmaperr 46355->46365 46357 446b28 RtlAllocateHeap 46358 446b3b 46357->46358 46357->46359 46358->46345 46359->46355 46359->46357 46364 442200 7 API calls 2 library calls 46359->46364 46361->46345 46362->46348 46363->46352 46364->46359 46365->46358 46366 4339be 46367 4339ca ___scrt_is_nonwritable_in_current_image 46366->46367 46398 4336b3 46367->46398 46369 4339d1 46370 433b24 46369->46370 46373 4339fb 46369->46373 46698 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46370->46698 46372 433b2b 46699 4426be 28 API calls _Atexit 46372->46699 46383 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46373->46383 46692 4434d1 5 API calls _ValidateLocalCookies 46373->46692 46375 433b31 46700 442670 28 API calls _Atexit 46375->46700 46378 433b39 46379 433a14 46380 433a1a 46379->46380 46693 443475 5 API calls _ValidateLocalCookies 46379->46693 46382 433a9b 46409 433c5e 46382->46409 46383->46382 46694 43edf4 38 API calls 4 library calls 46383->46694 46392 433abd 46392->46372 46393 433ac1 46392->46393 46394 433aca 46393->46394 46696 442661 28 API calls _Atexit 46393->46696 46697 433842 13 API calls 2 library calls 46394->46697 46397 433ad2 46397->46380 46399 4336bc 46398->46399 46701 433e0a IsProcessorFeaturePresent 46399->46701 46401 4336c8 46702 4379ee 10 API calls 3 library calls 46401->46702 46403 4336cd 46404 4336d1 46403->46404 46703 44335e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46403->46703 46404->46369 46406 4336da 46407 4336e8 46406->46407 46704 437a17 8 API calls 3 library calls 46406->46704 46407->46369 46705 436050 46409->46705 46412 433aa1 46413 443422 46412->46413 46707 44ddc9 46413->46707 46415 44342b 46417 433aaa 46415->46417 46711 44e0d3 38 API calls 46415->46711 46418 40d767 46417->46418 46713 41bce3 LoadLibraryA GetProcAddress 46418->46713 46420 40d783 GetModuleFileNameW 46718 40e168 46420->46718 46422 40d79f 46733 401fbd 46422->46733 46425 401fbd 28 API calls 46426 40d7bd 46425->46426 46737 41afc3 46426->46737 46430 40d7cf 46762 401d8c 46430->46762 46432 40d7d8 46433 40d835 46432->46433 46434 40d7eb 46432->46434 46768 401d64 46433->46768 47023 40e986 111 API calls 46434->47023 46437 40d845 46440 401d64 28 API calls 46437->46440 46438 40d7fd 46439 401d64 28 API calls 46438->46439 46443 40d809 46439->46443 46441 40d864 46440->46441 46773 404cbf 46441->46773 47024 40e937 68 API calls 46443->47024 46444 40d873 46777 405ce6 46444->46777 46447 40d87f 46780 401eef 46447->46780 46448 40d824 47025 40e155 68 API calls 46448->47025 46451 40d88b 46784 401eea 46451->46784 46453 40d894 46455 401eea 26 API calls 46453->46455 46454 401eea 26 API calls 46456 40dc9f 46454->46456 46457 40d89d 46455->46457 46695 433c94 GetModuleHandleW 46456->46695 46458 401d64 28 API calls 46457->46458 46459 40d8a6 46458->46459 46788 401ebd 46459->46788 46461 40d8b1 46462 401d64 28 API calls 46461->46462 46463 40d8ca 46462->46463 46464 401d64 28 API calls 46463->46464 46466 40d8e5 46464->46466 46465 40d946 46467 401d64 28 API calls 46465->46467 46482 40e134 46465->46482 46466->46465 47026 4085b4 46466->47026 46473 40d95d 46467->46473 46469 40d912 46470 401eef 26 API calls 46469->46470 46471 40d91e 46470->46471 46474 401eea 26 API calls 46471->46474 46472 40d9a4 46792 40bed7 46472->46792 46473->46472 46479 4124b7 3 API calls 46473->46479 46476 40d927 46474->46476 47030 4124b7 RegOpenKeyExA 46476->47030 46477 40d9aa 46478 40d82d 46477->46478 46795 41a463 46477->46795 46478->46454 46484 40d988 46479->46484 47106 412902 30 API calls 46482->47106 46483 40d9c5 46485 40da18 46483->46485 46812 40697b 46483->46812 46484->46472 47033 412902 30 API calls 46484->47033 46487 401d64 28 API calls 46485->46487 46490 40da21 46487->46490 46499 40da32 46490->46499 46500 40da2d 46490->46500 46492 40e14a 47107 4112b5 64 API calls ___scrt_fastfail 46492->47107 46493 40d9e4 47034 40699d 30 API calls 46493->47034 46494 40d9ee 46498 401d64 28 API calls 46494->46498 46507 40d9f7 46498->46507 46504 401d64 28 API calls 46499->46504 47037 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46500->47037 46501 40d9e9 47035 4064d0 97 API calls 46501->47035 46505 40da3b 46504->46505 46816 41ae08 46505->46816 46507->46485 46510 40da13 46507->46510 46508 40da46 46820 401e18 46508->46820 47036 4064d0 97 API calls 46510->47036 46511 40da51 46824 401e13 46511->46824 46514 40da5a 46515 401d64 28 API calls 46514->46515 46516 40da63 46515->46516 46517 401d64 28 API calls 46516->46517 46518 40da7d 46517->46518 46519 401d64 28 API calls 46518->46519 46520 40da97 46519->46520 46521 401d64 28 API calls 46520->46521 46523 40dab0 46521->46523 46522 40db1d 46525 40db2c 46522->46525 46530 40dcaa ___scrt_fastfail 46522->46530 46523->46522 46524 401d64 28 API calls 46523->46524 46529 40dac5 _wcslen 46524->46529 46526 40db35 46525->46526 46554 40dbb1 ___scrt_fastfail 46525->46554 46527 401d64 28 API calls 46526->46527 46528 40db3e 46527->46528 46531 401d64 28 API calls 46528->46531 46529->46522 46532 401d64 28 API calls 46529->46532 47097 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 46530->47097 46533 40db50 46531->46533 46534 40dae0 46532->46534 46536 401d64 28 API calls 46533->46536 46538 401d64 28 API calls 46534->46538 46537 40db62 46536->46537 46541 401d64 28 API calls 46537->46541 46539 40daf5 46538->46539 47038 40c89e 46539->47038 46540 40dcef 46542 401d64 28 API calls 46540->46542 46544 40db8b 46541->46544 46545 40dd16 46542->46545 46549 401d64 28 API calls 46544->46549 46838 401f66 46545->46838 46547 401e18 26 API calls 46548 40db14 46547->46548 46551 401e13 26 API calls 46548->46551 46552 40db9c 46549->46552 46551->46522 47095 40bc67 46 API calls _wcslen 46552->47095 46553 40dd25 46842 4126d2 RegCreateKeyA 46553->46842 46828 4128a2 46554->46828 46559 40dc45 ctype 46563 401d64 28 API calls 46559->46563 46560 40dbac 46560->46554 46561 401d64 28 API calls 46562 40dd47 46561->46562 46848 43a5e7 46562->46848 46564 40dc5c 46563->46564 46564->46540 46568 40dc70 46564->46568 46567 40dd5e 47098 41beb0 87 API calls ___scrt_fastfail 46567->47098 46569 401d64 28 API calls 46568->46569 46571 40dc7e 46569->46571 46570 40dd81 46573 401f66 28 API calls 46570->46573 46574 41ae08 28 API calls 46571->46574 46576 40dd96 46573->46576 46577 40dc87 46574->46577 46575 40dd65 CreateThread 46575->46570 47552 41c96f 10 API calls 46575->47552 46578 401f66 28 API calls 46576->46578 47096 40e219 112 API calls 46577->47096 46580 40dda5 46578->46580 46852 41a686 46580->46852 46581 40dc8c 46581->46540 46583 40dc93 46581->46583 46583->46478 46585 401d64 28 API calls 46586 40ddb6 46585->46586 46587 401d64 28 API calls 46586->46587 46588 40ddcb 46587->46588 46589 401d64 28 API calls 46588->46589 46590 40ddeb 46589->46590 46591 43a5e7 _strftime 42 API calls 46590->46591 46592 40ddf8 46591->46592 46593 401d64 28 API calls 46592->46593 46594 40de03 46593->46594 46595 401d64 28 API calls 46594->46595 46596 40de14 46595->46596 46597 401d64 28 API calls 46596->46597 46598 40de29 46597->46598 46599 401d64 28 API calls 46598->46599 46600 40de3a 46599->46600 46601 40de41 StrToIntA 46600->46601 46876 409517 46601->46876 46604 401d64 28 API calls 46605 40de5c 46604->46605 46606 40dea1 46605->46606 46607 40de68 46605->46607 46609 401d64 28 API calls 46606->46609 47099 43360d 22 API calls 3 library calls 46607->47099 46611 40deb1 46609->46611 46610 40de71 46612 401d64 28 API calls 46610->46612 46615 40def9 46611->46615 46616 40debd 46611->46616 46613 40de84 46612->46613 46614 40de8b CreateThread 46613->46614 46614->46606 47548 419128 109 API calls 2 library calls 46614->47548 46617 401d64 28 API calls 46615->46617 47100 43360d 22 API calls 3 library calls 46616->47100 46619 40df02 46617->46619 46623 40df6c 46619->46623 46624 40df0e 46619->46624 46620 40dec6 46621 401d64 28 API calls 46620->46621 46622 40ded8 46621->46622 46627 40dedf CreateThread 46622->46627 46625 401d64 28 API calls 46623->46625 46626 401d64 28 API calls 46624->46626 46628 40df75 46625->46628 46629 40df1e 46626->46629 46627->46615 47547 419128 109 API calls 2 library calls 46627->47547 46630 40df81 46628->46630 46631 40dfba 46628->46631 46632 401d64 28 API calls 46629->46632 46634 401d64 28 API calls 46630->46634 46901 41a7a2 GetComputerNameExW GetUserNameW 46631->46901 46635 40df33 46632->46635 46637 40df8a 46634->46637 47101 40c854 32 API calls 46635->47101 46642 401d64 28 API calls 46637->46642 46638 401e18 26 API calls 46639 40dfce 46638->46639 46641 401e13 26 API calls 46639->46641 46644 40dfd7 46641->46644 46645 40df9f 46642->46645 46643 40df46 46646 401e18 26 API calls 46643->46646 46648 40dfe0 SetProcessDEPPolicy 46644->46648 46649 40dfe3 CreateThread 46644->46649 46653 43a5e7 _strftime 42 API calls 46645->46653 46647 40df52 46646->46647 46650 401e13 26 API calls 46647->46650 46648->46649 46651 40e004 46649->46651 46652 40dff8 CreateThread 46649->46652 47520 40e54f 46649->47520 46654 40df5b CreateThread 46650->46654 46655 40e00d CreateThread 46651->46655 46656 40e019 46651->46656 46652->46651 47549 410f36 138 API calls 46652->47549 46657 40dfac 46653->46657 46654->46623 47550 40196b 49 API calls _strftime 46654->47550 46655->46656 47551 411524 38 API calls ___scrt_fastfail 46655->47551 46658 40e073 46656->46658 46660 401f66 28 API calls 46656->46660 47102 40b95c 7 API calls 46657->47102 46912 41246e RegOpenKeyExA 46658->46912 46661 40e046 46660->46661 47103 404c9e 28 API calls 46661->47103 46665 40e053 46667 401f66 28 API calls 46665->46667 46666 40e12a 46924 40cbac 46666->46924 46669 40e062 46667->46669 46668 41ae08 28 API calls 46671 40e0a4 46668->46671 46672 41a686 79 API calls 46669->46672 46915 412584 RegOpenKeyExW 46671->46915 46674 40e067 46672->46674 46676 401eea 26 API calls 46674->46676 46676->46658 46679 401e13 26 API calls 46682 40e0c5 46679->46682 46680 40e0ed DeleteFileW 46681 40e0f4 46680->46681 46680->46682 46683 41ae08 28 API calls 46681->46683 46682->46680 46682->46681 46684 40e0db Sleep 46682->46684 46686 40e104 46683->46686 47104 401e07 46684->47104 46920 41297a RegOpenKeyExW 46686->46920 46688 40e117 46689 401e13 26 API calls 46688->46689 46690 40e121 46689->46690 46691 401e13 26 API calls 46690->46691 46691->46666 46692->46379 46693->46383 46694->46382 46695->46392 46696->46394 46697->46397 46698->46372 46699->46375 46700->46378 46701->46401 46702->46403 46703->46406 46704->46404 46706 433c71 GetStartupInfoW 46705->46706 46706->46412 46708 44dddb 46707->46708 46709 44ddd2 46707->46709 46708->46415 46712 44dcc8 51 API calls 5 library calls 46709->46712 46711->46415 46712->46708 46714 41bd22 LoadLibraryA GetProcAddress 46713->46714 46715 41bd12 GetModuleHandleA GetProcAddress 46713->46715 46716 41bd4b 32 API calls 46714->46716 46717 41bd3b LoadLibraryA GetProcAddress 46714->46717 46715->46714 46716->46420 46717->46716 47108 41a63f FindResourceA 46718->47108 46721 43a88c _Yarn 21 API calls 46722 40e192 ctype 46721->46722 47111 401f86 46722->47111 46725 401eef 26 API calls 46726 40e1b8 46725->46726 46727 401eea 26 API calls 46726->46727 46728 40e1c1 46727->46728 46729 43a88c _Yarn 21 API calls 46728->46729 46730 40e1d2 ctype 46729->46730 47115 406052 46730->47115 46732 40e205 46732->46422 46734 401fcc 46733->46734 47123 402501 46734->47123 46736 401fea 46736->46425 46754 41afd6 46737->46754 46738 401eea 26 API calls 46739 41b078 46738->46739 46740 401eea 26 API calls 46739->46740 46742 41b080 46740->46742 46741 41b048 47130 403b60 28 API calls 46741->47130 46745 401eea 26 API calls 46742->46745 46747 40d7c6 46745->46747 46746 41b054 46748 401eef 26 API calls 46746->46748 46758 40e8bd 46747->46758 46750 41b05d 46748->46750 46749 401eef 26 API calls 46749->46754 46752 401eea 26 API calls 46750->46752 46751 401eea 26 API calls 46751->46754 46753 41b065 46752->46753 47131 41bfa9 28 API calls 46753->47131 46754->46741 46754->46749 46754->46751 46757 41b046 46754->46757 47128 403b60 28 API calls 46754->47128 47129 41bfa9 28 API calls 46754->47129 46757->46738 46759 40e8ca 46758->46759 46761 40e8da 46759->46761 47132 40200a 26 API calls 46759->47132 46761->46430 46764 40200a 46762->46764 46763 40203a 46763->46432 46764->46763 47133 402654 26 API calls 46764->47133 46766 40202b 47134 4026ba 26 API calls _Deallocate 46766->47134 46769 401d6c 46768->46769 46770 401d74 46769->46770 47135 401fff 28 API calls 46769->47135 46770->46437 46774 404ccb 46773->46774 47136 402e78 46774->47136 46776 404cee 46776->46444 47145 404bc4 46777->47145 46779 405cf4 46779->46447 46781 401efe 46780->46781 46783 401f0a 46781->46783 47154 4021b9 26 API calls 46781->47154 46783->46451 46785 4021b9 46784->46785 46786 4021e8 46785->46786 47155 40262e 26 API calls _Deallocate 46785->47155 46786->46453 46790 401ec9 46788->46790 46789 401ee4 46789->46461 46790->46789 46791 402325 28 API calls 46790->46791 46791->46789 47156 401e8f 46792->47156 46794 40bee1 CreateMutexA GetLastError 46794->46477 47158 41b15b 46795->47158 46797 41a471 47162 412513 RegOpenKeyExA 46797->47162 46800 401eef 26 API calls 46801 41a49f 46800->46801 46802 401eea 26 API calls 46801->46802 46803 41a4a7 46802->46803 46804 41a4fa 46803->46804 46805 412513 31 API calls 46803->46805 46804->46483 46806 41a4cd 46805->46806 46807 41a4d8 StrToIntA 46806->46807 46808 41a4ef 46807->46808 46809 41a4e6 46807->46809 46811 401eea 26 API calls 46808->46811 47167 41c102 28 API calls 46809->47167 46811->46804 46813 40698f 46812->46813 46814 4124b7 3 API calls 46813->46814 46815 406996 46814->46815 46815->46493 46815->46494 46817 41ae1c 46816->46817 47168 40b027 46817->47168 46819 41ae24 46819->46508 46821 401e27 46820->46821 46823 401e33 46821->46823 47177 402121 26 API calls 46821->47177 46823->46511 46826 402121 46824->46826 46825 402150 46825->46514 46826->46825 47178 402718 26 API calls _Deallocate 46826->47178 46829 4128c0 46828->46829 46830 406052 28 API calls 46829->46830 46831 4128d5 46830->46831 46832 401fbd 28 API calls 46831->46832 46833 4128e5 46832->46833 46834 4126d2 29 API calls 46833->46834 46835 4128ef 46834->46835 46836 401eea 26 API calls 46835->46836 46837 4128fc 46836->46837 46837->46559 46839 401f6e 46838->46839 47179 402301 46839->47179 46843 412722 46842->46843 46845 4126eb 46842->46845 46844 401eea 26 API calls 46843->46844 46846 40dd3b 46844->46846 46847 4126fd RegSetValueExA RegCloseKey 46845->46847 46846->46561 46847->46843 46849 43a600 _strftime 46848->46849 47183 43993e 46849->47183 46853 41a737 46852->46853 46854 41a69c GetLocalTime 46852->46854 46856 401eea 26 API calls 46853->46856 46855 404cbf 28 API calls 46854->46855 46857 41a6de 46855->46857 46858 41a73f 46856->46858 46859 405ce6 28 API calls 46857->46859 46860 401eea 26 API calls 46858->46860 46861 41a6ea 46859->46861 46862 40ddaa 46860->46862 47217 4027cb 46861->47217 46862->46585 46864 41a6f6 46865 405ce6 28 API calls 46864->46865 46866 41a702 46865->46866 47220 406478 76 API calls 46866->47220 46868 41a710 46869 401eea 26 API calls 46868->46869 46870 41a71c 46869->46870 46871 401eea 26 API calls 46870->46871 46872 41a725 46871->46872 46873 401eea 26 API calls 46872->46873 46874 41a72e 46873->46874 46875 401eea 26 API calls 46874->46875 46875->46853 46877 409536 _wcslen 46876->46877 46878 409541 46877->46878 46879 409558 46877->46879 46880 40c89e 32 API calls 46878->46880 46881 40c89e 32 API calls 46879->46881 46882 409549 46880->46882 46883 409560 46881->46883 46884 401e18 26 API calls 46882->46884 46885 401e18 26 API calls 46883->46885 46900 409553 46884->46900 46886 40956e 46885->46886 46887 401e13 26 API calls 46886->46887 46888 409576 46887->46888 47240 40856b 28 API calls 46888->47240 46889 401e13 26 API calls 46891 4095ad 46889->46891 47225 409837 46891->47225 46892 409588 47241 4028cf 46892->47241 46896 409593 46897 401e18 26 API calls 46896->46897 46898 40959d 46897->46898 46899 401e13 26 API calls 46898->46899 46899->46900 46900->46889 47406 403b40 46901->47406 46905 41a7fd 46906 4028cf 28 API calls 46905->46906 46907 41a807 46906->46907 46908 401e13 26 API calls 46907->46908 46909 41a810 46908->46909 46910 401e13 26 API calls 46909->46910 46911 40dfc3 46910->46911 46911->46638 46913 40e08b 46912->46913 46914 41248f RegQueryValueExA RegCloseKey 46912->46914 46913->46666 46913->46668 46914->46913 46916 4125b0 RegQueryValueExW RegCloseKey 46915->46916 46917 4125dd 46915->46917 46916->46917 46918 403b40 28 API calls 46917->46918 46919 40e0ba 46918->46919 46919->46679 46921 412992 RegDeleteValueW 46920->46921 46922 4129a6 46920->46922 46921->46922 46923 4129a2 46921->46923 46922->46688 46923->46688 46925 40cbc5 46924->46925 46926 41246e 3 API calls 46925->46926 46927 40cbcc 46926->46927 46928 40cbeb 46927->46928 47434 401602 46927->47434 46932 413fd4 46928->46932 46930 40cbd9 47437 4127d5 RegCreateKeyA 46930->47437 46933 413feb 46932->46933 47454 41aa73 46933->47454 46935 413ff6 46936 401d64 28 API calls 46935->46936 46937 41400f 46936->46937 46938 43a5e7 _strftime 42 API calls 46937->46938 46939 41401c 46938->46939 46940 414021 Sleep 46939->46940 46941 41402e 46939->46941 46940->46941 46942 401f66 28 API calls 46941->46942 46943 41403d 46942->46943 46944 401d64 28 API calls 46943->46944 46945 41404b 46944->46945 46946 401fbd 28 API calls 46945->46946 46947 414053 46946->46947 46948 41afc3 28 API calls 46947->46948 46949 41405b 46948->46949 47458 404262 WSAStartup 46949->47458 46951 414065 46952 401d64 28 API calls 46951->46952 46953 41406e 46952->46953 46954 401d64 28 API calls 46953->46954 46985 4140ed 46953->46985 46955 414087 46954->46955 46957 401d64 28 API calls 46955->46957 46956 401fbd 28 API calls 46956->46985 46958 414098 46957->46958 46960 401d64 28 API calls 46958->46960 46959 41afc3 28 API calls 46959->46985 46961 4140a9 46960->46961 46963 401d64 28 API calls 46961->46963 46962 4085b4 28 API calls 46962->46985 46964 4140ba 46963->46964 46967 401d64 28 API calls 46964->46967 46965 4027cb 28 API calls 46965->46985 46966 401eef 26 API calls 46966->46985 46968 4140cb 46967->46968 46969 401d64 28 API calls 46968->46969 46970 4140dd 46969->46970 47487 404101 87 API calls 46970->47487 46971 401d64 28 API calls 46971->46985 46973 404cbf 28 API calls 46973->46985 46974 405ce6 28 API calls 46974->46985 46975 41a686 79 API calls 46975->46985 46976 401eea 26 API calls 46976->46985 46978 414244 WSAGetLastError 47464 41bc76 46978->47464 46981 4142ca 46981->46985 46988 404cbf 28 API calls 46981->46988 46990 405ce6 28 API calls 46981->46990 46995 4082dc 28 API calls 46981->46995 46997 401d64 28 API calls 46981->46997 46998 401fbd 28 API calls 46981->46998 47000 412513 31 API calls 46981->47000 47001 403b40 28 API calls 46981->47001 47004 401d64 28 API calls 46981->47004 47008 41ad46 28 API calls 46981->47008 47010 41aec8 28 API calls 46981->47010 47013 40275c 28 API calls 46981->47013 47014 4027cb 28 API calls 46981->47014 47016 401eea 26 API calls 46981->47016 47019 401f66 28 API calls 46981->47019 47020 41a686 79 API calls 46981->47020 47021 414b22 CreateThread 46981->47021 47022 401e13 26 API calls 46981->47022 47490 404915 82 API calls 46981->47490 47491 40428c 96 API calls 46981->47491 47492 41a96d GlobalMemoryStatusEx 46981->47492 47493 413683 50 API calls 46981->47493 47494 440c51 26 API calls 46981->47494 47495 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 46981->47495 47496 40cbf1 6 API calls 46981->47496 47497 41adee 28 API calls 46981->47497 47499 41aca0 GetLastInputInfo GetTickCount 46981->47499 47500 41ac52 30 API calls ___scrt_fastfail 46981->47500 47501 40e679 29 API calls 46981->47501 47502 4027ec 28 API calls 46981->47502 47503 404468 60 API calls ctype 46981->47503 47504 4045d5 112 API calls _Yarn 46981->47504 47505 40a767 84 API calls 46981->47505 46984 401f66 28 API calls 46984->46985 46985->46956 46985->46959 46985->46962 46985->46965 46985->46966 46985->46971 46985->46973 46985->46974 46985->46975 46985->46976 46985->46978 46985->46981 46985->46984 46989 401d8c 26 API calls 46985->46989 46991 43a5e7 _strftime 42 API calls 46985->46991 47459 413f9a 46985->47459 47474 4047eb WaitForSingleObject 46985->47474 47488 404c9e 28 API calls 46985->47488 47489 4041f1 socket CreateEventW WSAStartup 46985->47489 46988->46981 46989->46985 46990->46981 46992 414b80 Sleep 46991->46992 46992->46985 46995->46981 46997->46981 46998->46981 47000->46981 47001->46981 47005 4144ed GetTickCount 47004->47005 47498 41ad46 28 API calls 47005->47498 47008->46981 47010->46981 47013->46981 47014->46981 47016->46981 47019->46981 47020->46981 47021->46981 47513 419e89 103 API calls 47021->47513 47022->46981 47023->46438 47024->46448 47027 4085c0 47026->47027 47028 402e78 28 API calls 47027->47028 47029 4085e4 47028->47029 47029->46469 47031 4124e1 RegQueryValueExA RegCloseKey 47030->47031 47032 41250b 47030->47032 47031->47032 47032->46465 47033->46472 47034->46501 47035->46494 47036->46485 47037->46499 47039 40c8ba 47038->47039 47040 40c8da 47039->47040 47041 40c90f 47039->47041 47042 40c8d0 47039->47042 47514 41a74b 29 API calls 47040->47514 47045 41b15b 2 API calls 47041->47045 47044 40ca03 GetLongPathNameW 47042->47044 47048 403b40 28 API calls 47044->47048 47046 40c914 47045->47046 47049 40c918 47046->47049 47050 40c96a 47046->47050 47047 40c8e3 47051 401e18 26 API calls 47047->47051 47052 40ca18 47048->47052 47054 403b40 28 API calls 47049->47054 47053 403b40 28 API calls 47050->47053 47055 40c8ed 47051->47055 47056 403b40 28 API calls 47052->47056 47058 40c978 47053->47058 47059 40c926 47054->47059 47061 401e13 26 API calls 47055->47061 47057 40ca27 47056->47057 47517 40cc37 28 API calls 47057->47517 47064 403b40 28 API calls 47058->47064 47065 403b40 28 API calls 47059->47065 47061->47042 47062 40ca3a 47518 402860 28 API calls 47062->47518 47067 40c98e 47064->47067 47068 40c93c 47065->47068 47066 40ca45 47519 402860 28 API calls 47066->47519 47516 402860 28 API calls 47067->47516 47515 402860 28 API calls 47068->47515 47072 40ca4f 47075 401e13 26 API calls 47072->47075 47073 40c999 47076 401e18 26 API calls 47073->47076 47074 40c947 47077 401e18 26 API calls 47074->47077 47078 40ca59 47075->47078 47079 40c9a4 47076->47079 47080 40c952 47077->47080 47081 401e13 26 API calls 47078->47081 47082 401e13 26 API calls 47079->47082 47083 401e13 26 API calls 47080->47083 47084 40ca62 47081->47084 47085 40c9ad 47082->47085 47086 40c95b 47083->47086 47087 401e13 26 API calls 47084->47087 47088 401e13 26 API calls 47085->47088 47089 401e13 26 API calls 47086->47089 47090 40ca6b 47087->47090 47088->47055 47089->47055 47091 401e13 26 API calls 47090->47091 47092 40ca74 47091->47092 47093 401e13 26 API calls 47092->47093 47094 40ca7d 47093->47094 47094->46547 47095->46560 47096->46581 47097->46540 47098->46575 47099->46610 47100->46620 47101->46643 47102->46631 47103->46665 47105 401e0c 47104->47105 47106->46492 47109 40e183 47108->47109 47110 41a65c LoadResource LockResource SizeofResource 47108->47110 47109->46721 47110->47109 47112 401f8e 47111->47112 47118 402325 47112->47118 47114 401fa4 47114->46725 47116 401f86 28 API calls 47115->47116 47117 406066 47116->47117 47117->46732 47119 40232f 47118->47119 47121 40233a 47119->47121 47122 40294a 28 API calls 47119->47122 47121->47114 47122->47121 47124 40250d 47123->47124 47126 40252b 47124->47126 47127 40261a 28 API calls 47124->47127 47126->46736 47127->47126 47128->46754 47129->46754 47130->46746 47131->46757 47132->46761 47133->46766 47134->46763 47137 402e85 47136->47137 47138 402e98 47137->47138 47140 402ea9 47137->47140 47141 402eae 47137->47141 47143 403445 28 API calls 47138->47143 47140->46776 47141->47140 47144 40225b 26 API calls 47141->47144 47143->47140 47144->47140 47146 404bd0 47145->47146 47149 40245c 47146->47149 47148 404be4 47148->46779 47150 402469 47149->47150 47152 402478 47150->47152 47153 402ad3 28 API calls 47150->47153 47152->47148 47153->47152 47154->46783 47155->46786 47157 401e94 47156->47157 47159 41b183 47158->47159 47160 41b168 GetCurrentProcess IsWow64Process 47158->47160 47159->46797 47160->47159 47161 41b17f 47160->47161 47161->46797 47163 412541 RegQueryValueExA RegCloseKey 47162->47163 47164 412569 47162->47164 47163->47164 47165 401f66 28 API calls 47164->47165 47166 41257e 47165->47166 47166->46800 47167->46808 47169 40b02f 47168->47169 47172 40b04b 47169->47172 47171 40b045 47171->46819 47173 40b055 47172->47173 47175 40b060 47173->47175 47176 40b138 28 API calls 47173->47176 47175->47171 47176->47175 47177->46823 47178->46825 47180 40230d 47179->47180 47181 402325 28 API calls 47180->47181 47182 401f80 47181->47182 47182->46553 47201 43a545 47183->47201 47185 40dd54 47185->46567 47185->46570 47186 43998b 47210 4392de 38 API calls 2 library calls 47186->47210 47188 439950 47188->47185 47188->47186 47189 439965 47188->47189 47208 445354 20 API calls __dosmaperr 47189->47208 47191 43996a 47209 43a827 26 API calls _Deallocate 47191->47209 47194 439997 47195 4399c6 47194->47195 47211 43a58a 42 API calls __Tolower 47194->47211 47199 439a32 47195->47199 47212 43a4f1 26 API calls 2 library calls 47195->47212 47197 439af9 _strftime 47197->47185 47214 445354 20 API calls __dosmaperr 47197->47214 47213 43a4f1 26 API calls 2 library calls 47199->47213 47202 43a54a 47201->47202 47203 43a55d 47201->47203 47215 445354 20 API calls __dosmaperr 47202->47215 47203->47188 47205 43a54f 47216 43a827 26 API calls _Deallocate 47205->47216 47207 43a55a 47207->47188 47208->47191 47209->47185 47210->47194 47211->47194 47212->47199 47213->47197 47214->47185 47215->47205 47216->47207 47221 401e9b 47217->47221 47219 4027d9 47219->46864 47220->46868 47222 401ea7 47221->47222 47223 40245c 28 API calls 47222->47223 47224 401eb9 47223->47224 47224->47219 47226 409855 47225->47226 47227 4124b7 3 API calls 47226->47227 47228 40985c 47227->47228 47229 409870 47228->47229 47230 40988a 47228->47230 47232 4095cf 47229->47232 47233 409875 47229->47233 47244 4082dc 47230->47244 47232->46604 47234 4082dc 28 API calls 47233->47234 47236 409883 47234->47236 47270 409959 29 API calls 47236->47270 47239 409888 47239->47232 47240->46892 47397 402d8b 47241->47397 47243 4028dd 47243->46896 47245 4082eb 47244->47245 47271 408431 47245->47271 47247 408309 47248 4098a5 47247->47248 47276 40affa 47248->47276 47251 4098f6 47253 401f66 28 API calls 47251->47253 47252 4098ce 47254 401f66 28 API calls 47252->47254 47255 409901 47253->47255 47256 4098d8 47254->47256 47257 401f66 28 API calls 47255->47257 47258 41ae08 28 API calls 47256->47258 47260 409910 47257->47260 47259 4098e6 47258->47259 47280 40a876 31 API calls _Yarn 47259->47280 47262 41a686 79 API calls 47260->47262 47264 409915 CreateThread 47262->47264 47263 4098ed 47265 401eea 26 API calls 47263->47265 47266 409930 CreateThread 47264->47266 47267 40993c CreateThread 47264->47267 47292 4099a9 47264->47292 47265->47251 47266->47267 47289 409993 47266->47289 47268 401e13 26 API calls 47267->47268 47286 4099b5 47267->47286 47269 409950 47268->47269 47269->47232 47270->47239 47396 40999f 135 API calls 47270->47396 47273 40843d 47271->47273 47272 40845b 47272->47247 47273->47272 47275 402f0d 28 API calls 47273->47275 47275->47272 47278 40b006 47276->47278 47277 4098c3 47277->47251 47277->47252 47278->47277 47281 403b9e 47278->47281 47280->47263 47282 403ba8 47281->47282 47284 403bb3 47282->47284 47285 403cfd 28 API calls 47282->47285 47284->47277 47285->47284 47295 40a3f4 47286->47295 47333 4099e4 47289->47333 47351 409e48 47292->47351 47301 40a402 47295->47301 47296 4099be 47297 40a45c Sleep GetForegroundWindow GetWindowTextLengthW 47298 40b027 28 API calls 47297->47298 47298->47301 47301->47296 47301->47297 47304 40a4a2 GetWindowTextW 47301->47304 47323 40a4bc 47301->47323 47324 433519 5 API calls __Init_thread_wait 47301->47324 47325 4338a5 29 API calls __onexit 47301->47325 47326 4334cf EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 47301->47326 47303 41aca0 GetLastInputInfo GetTickCount 47303->47323 47304->47301 47306 40affa 28 API calls 47306->47323 47307 40a5ff 47308 401e13 26 API calls 47307->47308 47308->47296 47309 40a569 Sleep 47309->47323 47312 401f66 28 API calls 47312->47323 47314 4082dc 28 API calls 47314->47323 47316 4028cf 28 API calls 47316->47323 47317 405ce6 28 API calls 47317->47323 47319 409d58 27 API calls 47319->47323 47320 41ae08 28 API calls 47320->47323 47321 401e13 26 API calls 47321->47323 47322 401eea 26 API calls 47322->47323 47323->47301 47323->47303 47323->47306 47323->47307 47323->47309 47323->47312 47323->47314 47323->47316 47323->47317 47323->47319 47323->47320 47323->47321 47323->47322 47327 4082a8 28 API calls 47323->47327 47328 40a876 31 API calls _Yarn 47323->47328 47329 40b0dd 28 API calls 47323->47329 47330 40ae58 44 API calls 2 library calls 47323->47330 47331 440c51 26 API calls 47323->47331 47332 404c9e 28 API calls 47323->47332 47324->47301 47325->47301 47326->47301 47327->47323 47328->47323 47329->47323 47330->47323 47331->47323 47332->47323 47334 409a63 GetMessageA 47333->47334 47335 4099ff SetWindowsHookExA 47333->47335 47336 409a75 TranslateMessage DispatchMessageA 47334->47336 47348 40999c 47334->47348 47335->47334 47338 409a1b GetLastError 47335->47338 47336->47334 47336->47348 47349 41ad46 28 API calls 47338->47349 47340 409a31 47350 404c9e 28 API calls 47340->47350 47342 409a3e 47343 401f66 28 API calls 47342->47343 47344 409a4d 47343->47344 47345 41a686 79 API calls 47344->47345 47346 409a52 47345->47346 47347 401eea 26 API calls 47346->47347 47347->47348 47349->47340 47350->47342 47352 409e5d Sleep 47351->47352 47371 409d97 47352->47371 47354 4099b2 47355 409e9d CreateDirectoryW 47359 409e6f 47355->47359 47356 409eae GetFileAttributesW 47356->47359 47357 409ec5 SetFileAttributesW 47357->47359 47359->47352 47359->47354 47359->47355 47359->47356 47359->47357 47361 401d64 28 API calls 47359->47361 47369 409f10 47359->47369 47384 41b58f 47359->47384 47360 409f3f PathFileExistsW 47360->47369 47361->47359 47363 401f86 28 API calls 47363->47369 47364 40a048 SetFileAttributesW 47364->47359 47365 406052 28 API calls 47365->47369 47366 401eef 26 API calls 47366->47369 47367 401eea 26 API calls 47367->47369 47369->47360 47369->47363 47369->47364 47369->47365 47369->47366 47369->47367 47370 401eea 26 API calls 47369->47370 47393 41b61a 32 API calls 47369->47393 47394 41b687 CreateFileW SetFilePointer WriteFile CloseHandle 47369->47394 47370->47359 47372 409e44 47371->47372 47374 409dad 47371->47374 47372->47359 47373 409dcc CreateFileW 47373->47374 47375 409dda GetFileSize 47373->47375 47374->47373 47376 409e0f CloseHandle 47374->47376 47377 409e04 Sleep 47374->47377 47378 409dfd 47374->47378 47380 409e21 47374->47380 47375->47374 47375->47376 47376->47374 47377->47376 47395 40a7f0 83 API calls 47378->47395 47380->47372 47381 4082dc 28 API calls 47380->47381 47382 409e3d 47381->47382 47383 4098a5 126 API calls 47382->47383 47383->47372 47385 41b5a2 CreateFileW 47384->47385 47387 41b5db 47385->47387 47388 41b5df 47385->47388 47387->47359 47389 41b5f6 WriteFile 47388->47389 47390 41b5e6 SetFilePointer 47388->47390 47391 41b60b CloseHandle 47389->47391 47392 41b609 47389->47392 47390->47389 47390->47391 47391->47387 47392->47391 47393->47369 47394->47369 47395->47377 47398 402d97 47397->47398 47401 4030f7 47398->47401 47400 402dab 47400->47243 47402 403101 47401->47402 47404 403115 47402->47404 47405 4036c2 28 API calls 47402->47405 47404->47400 47405->47404 47407 403b48 47406->47407 47413 403b7a 47407->47413 47410 403cbb 47417 403dc2 47410->47417 47412 403cc9 47412->46905 47414 403b86 47413->47414 47415 403b9e 28 API calls 47414->47415 47416 403b5a 47415->47416 47416->47410 47418 403dce 47417->47418 47421 402ffd 47418->47421 47420 403de3 47420->47412 47422 40300e 47421->47422 47427 4032a4 47422->47427 47426 40302e 47426->47420 47428 4032b0 47427->47428 47429 40301a 47427->47429 47433 4032b6 28 API calls 47428->47433 47429->47426 47432 4035e8 28 API calls 47429->47432 47432->47426 47440 4395ba 47434->47440 47438 412814 47437->47438 47439 4127ed RegSetValueExA RegCloseKey 47437->47439 47438->46928 47439->47438 47443 43953b 47440->47443 47442 401608 47442->46930 47444 43954a 47443->47444 47445 43955e 47443->47445 47451 445354 20 API calls __dosmaperr 47444->47451 47449 43955a __alldvrm 47445->47449 47453 447601 11 API calls 2 library calls 47445->47453 47448 43954f 47452 43a827 26 API calls _Deallocate 47448->47452 47449->47442 47451->47448 47452->47449 47453->47449 47456 41aab9 ctype ___scrt_fastfail 47454->47456 47455 401f66 28 API calls 47457 41ab2e 47455->47457 47456->47455 47457->46935 47458->46951 47460 413fb3 getaddrinfo WSASetLastError 47459->47460 47461 413fa9 47459->47461 47460->46985 47506 413e37 35 API calls ___std_exception_copy 47461->47506 47463 413fae 47463->47460 47507 401faa 47464->47507 47466 41bc8a FormatMessageA 47467 41bcb6 47466->47467 47468 41bca8 47466->47468 47470 41bcc1 LocalFree 47467->47470 47469 401f66 28 API calls 47468->47469 47471 41bcb4 47469->47471 47470->47471 47472 401eea 26 API calls 47471->47472 47473 41bcdd 47472->47473 47473->46985 47475 404805 SetEvent CloseHandle 47474->47475 47476 40481c closesocket 47474->47476 47477 40489c 47475->47477 47478 404829 47476->47478 47477->46985 47479 40483f 47478->47479 47509 404ab1 83 API calls 47478->47509 47481 404851 WaitForSingleObject 47479->47481 47482 404892 SetEvent CloseHandle 47479->47482 47510 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47481->47510 47482->47477 47484 404860 SetEvent WaitForSingleObject 47511 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47484->47511 47486 404878 SetEvent CloseHandle CloseHandle 47486->47482 47487->46985 47488->46985 47489->46985 47490->46981 47512 404b1d 101 API calls 47490->47512 47491->46981 47492->46981 47493->46981 47494->46981 47495->46981 47496->46981 47497->46981 47498->46981 47499->46981 47500->46981 47501->46981 47502->46981 47503->46981 47504->46981 47505->46981 47506->47463 47508 401fb2 47507->47508 47508->47466 47509->47479 47510->47484 47511->47486 47514->47047 47515->47074 47516->47073 47517->47062 47518->47066 47519->47072 47522 40e56a 47520->47522 47521 4124b7 3 API calls 47521->47522 47522->47521 47523 40e59c 47522->47523 47524 40e60e 47522->47524 47526 40e5fe Sleep 47522->47526 47525 4082dc 28 API calls 47523->47525 47523->47526 47529 41ae08 28 API calls 47523->47529 47535 401e13 26 API calls 47523->47535 47538 401f66 28 API calls 47523->47538 47542 4126d2 29 API calls 47523->47542 47553 40bf04 73 API calls ___scrt_fastfail 47523->47553 47554 412774 29 API calls 47523->47554 47527 4082dc 28 API calls 47524->47527 47525->47523 47526->47522 47530 40e619 47527->47530 47529->47523 47531 41ae08 28 API calls 47530->47531 47532 40e625 47531->47532 47555 412774 29 API calls 47532->47555 47535->47523 47536 40e638 47537 401e13 26 API calls 47536->47537 47539 40e644 47537->47539 47538->47523 47540 401f66 28 API calls 47539->47540 47541 40e655 47540->47541 47543 4126d2 29 API calls 47541->47543 47542->47523 47544 40e668 47543->47544 47556 411699 TerminateProcess WaitForSingleObject 47544->47556 47546 40e670 ExitProcess 47557 411637 61 API calls 47549->47557 47554->47523 47555->47536 47556->47546

                                      Executed Functions

                                      Function 0041BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                      • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                      • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                      • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                      • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                      • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                      • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                      • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                      • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                      • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                      • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                      • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                      • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                      • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BE09
                                      • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                      • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
                                      • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                      • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BE53
                                      • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$HandleLibraryLoadModule
                                      • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                      • API String ID: 384173800-625181639
                                      • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                      • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                                      • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                      • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE
                                      Function 0040D767 Relevance: 95.3, APIs: 13, Strings: 41, Instructions: 799COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 100 40e134-40e154 call 401e8f call 412902 call 4112b5 70->100 89 40d9b5-40d9bc 79->89 90 40d9ae-40d9b0 79->90 80->79 99 40d98e-40d9a4 call 401e8f call 412902 80->99 94 40d9c0-40d9cc call 41a463 89->94 95 40d9be 89->95 93 40dc95 90->93 93->49 104 40d9d5-40d9d9 94->104 105 40d9ce-40d9d0 94->105 95->94 99->79 107 40da18-40da2b call 401d64 call 401e8f 104->107 108 40d9db call 40697b 104->108 105->104 127 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 107->127 128 40da2d call 4069ba 107->128 117 40d9e0-40d9e2 108->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->107 138 40da03-40da09 121->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 127->164 128->127 138->107 140 40da0b-40da11 138->140 140->107 142 40da13 call 4064d0 140->142 142->107 166 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->166 167 40db2c-40db33 163->167 164->163 190 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->190 220 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 166->220 169 40dbb1-40dbbb call 4082d7 167->169 170 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 167->170 176 40dbc0-40dbe4 call 4022f8 call 4338c8 169->176 170->176 197 40dbf3 176->197 198 40dbe6-40dbf1 call 436050 176->198 190->163 204 40dbf5-40dc40 call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 197->204 198->204 258 40dc45-40dc6a call 4338d1 call 401d64 call 40b125 204->258 272 40dd79-40dd7b 220->272 273 40dd5e 220->273 258->220 274 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 258->274 277 40dd81 272->277 278 40dd7d-40dd7f 272->278 276 40dd60-40dd77 call 41beb0 CreateThread 273->276 274->220 292 40dc93 274->292 279 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 276->279 277->279 278->276 330 40dea1 279->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 279->331 292->93 332 40dea3-40debb call 401d64 call 401e8f 330->332 331->332 343 40def9-40df0c call 401d64 call 401e8f 332->343 344 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 332->344 353 40df6c-40df7f call 401d64 call 401e8f 343->353 354 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 343->354 344->343 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 353->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 353->366 354->353 365->366 387 40dfe0-40dfe1 SetProcessDEPPolicy 366->387 388 40dfe3-40dff6 CreateThread 366->388 387->388 392 40e004-40e00b 388->392 393 40dff8-40e002 CreateThread 388->393 396 40e019-40e020 392->396 397 40e00d-40e017 CreateThread 392->397 393->392 398 40e022-40e025 396->398 399 40e033-40e038 396->399 397->396 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 399->404 413 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->413 414 40e12a-40e12f call 40cbac call 413fd4 401->414 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 413->433 414->100 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 437 40e0db-40e0e8 Sleep call 401e07 435->437 437->433
                                      APIs
                                        • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                        • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                        • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                        • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                        • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                        • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                        • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                        • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                        • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                        • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                        • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                        • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                        • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                        • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                        • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                        • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                      • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe,00000104), ref: 0040D790
                                        • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                      • String ID: 0DG$@CG$@CG$Access Level: $Administrator$C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-SEVL3E$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                      • API String ID: 2830904901-2731131623
                                      • Opcode ID: e47213d212d024f2bc8682f55885eae6904282a0cbf37af7b5c1c5c93c255277
                                      • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                                      • Opcode Fuzzy Hash: e47213d212d024f2bc8682f55885eae6904282a0cbf37af7b5c1c5c93c255277
                                      • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                      Function 004099E4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65windowCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1201 4099e4-4099fd 1202 409a63-409a73 GetMessageA 1201->1202 1203 4099ff-409a19 SetWindowsHookExA 1201->1203 1204 409a75-409a8d TranslateMessage DispatchMessageA 1202->1204 1205 409a8f 1202->1205 1203->1202 1208 409a1b-409a61 GetLastError call 41ad46 call 404c9e call 401f66 call 41a686 call 401eea 1203->1208 1204->1202 1204->1205 1206 409a91-409a96 1205->1206 1208->1206
                                      APIs
                                      • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                      • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                      • GetLastError.KERNEL32 ref: 00409A1B
                                        • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                      • TranslateMessage.USER32(?), ref: 00409A7A
                                      • DispatchMessageA.USER32(?), ref: 00409A85
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                      • String ID: Keylogger initialization failure: error $`Wu
                                      • API String ID: 3219506041-303027793
                                      • Opcode ID: b25c238cc25c38f6a39b157eec7e909f885e780430bb9e72e24c2f6a8841eb99
                                      • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                                      • Opcode Fuzzy Hash: b25c238cc25c38f6a39b157eec7e909f885e780430bb9e72e24c2f6a8841eb99
                                      • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB
                                      Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                        • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                        • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                      • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                      • ExitProcess.KERNEL32 ref: 0040E672
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseExitOpenProcessQuerySleepValue
                                      • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                      • API String ID: 2281282204-3981147832
                                      • Opcode ID: 5e3dc2ee62b3815afed8a14a75d9f4affef8716378befb7542775b3a197d221c
                                      • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                      • Opcode Fuzzy Hash: 5e3dc2ee62b3815afed8a14a75d9f4affef8716378befb7542775b3a197d221c
                                      • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF
                                      Function 0041A7A2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetComputerNameExW.KERNEL32(00000001,?,0000002B,00474358), ref: 0041A7BF
                                      • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Name$ComputerUser
                                      • String ID:
                                      • API String ID: 4229901323-0
                                      • Opcode ID: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                      • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                      • Opcode Fuzzy Hash: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                      • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                      Function 00413FD4 Relevance: 53.3, APIs: 5, Strings: 25, Instructions: 813sleepnetworkCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 447 413fd4-41401f call 401faa call 41aa73 call 401faa call 401d64 call 401e8f call 43a5e7 460 414021-414028 Sleep 447->460 461 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afc3 call 404262 call 401d64 call 40b125 447->461 460->461 476 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afc3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 461->476 477 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 461->477 530 41419a-4141a1 476->530 531 41418c-414198 476->531 477->476 532 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 530->532 531->532 559 414244-414254 WSAGetLastError call 41bc76 532->559 560 41428f-41429d call 4041f1 532->560 564 414259-41428a call 404c9e call 401f66 call 41a686 call 401eea 559->564 565 4142ca-4142df call 404915 call 40428c 560->565 566 41429f-4142c5 call 401f66 * 2 call 41a686 560->566 582 414b54-414b66 call 4047eb call 4020b4 564->582 581 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 4 call 41a96d call 413683 call 4082dc call 440c51 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 565->581 565->582 566->582 647 414434-414441 call 40541d 581->647 648 414446-41446d call 401e8f call 412513 581->648 595 414b68-414b88 call 401d64 call 401e8f call 43a5e7 Sleep 582->595 596 414b8e-414b96 call 401d8c 582->596 595->596 596->476 647->648 654 414474-414ac7 call 403b40 call 40cbf1 call 41adee call 41aec8 call 41ad46 call 401d64 GetTickCount call 41ad46 call 41aca0 call 41ad46 * 2 call 41ac52 call 41aec8 * 5 call 40e679 call 41aec8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c call 404468 call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 648->654 655 41446f-414471 648->655 901 414ac9-414ad0 654->901 902 414adb-414ae2 654->902 655->654 901->902 903 414ad2-414ad4 901->903 904 414ae4-414ae9 call 40a767 902->904 905 414aee-414b20 call 405415 call 401f66 * 2 call 41a686 902->905 903->902 904->905 916 414b22-414b2e CreateThread 905->916 917 414b34-414b4f call 401eea * 2 call 401e13 905->917 916->917 917->582
                                      APIs
                                      • Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
                                      • WSAGetLastError.WS2_32 ref: 00414249
                                      • Sleep.KERNEL32(00000000,00000002), ref: 00414B88
                                        • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep$ErrorLastLocalTime
                                      • String ID: | $%I64u$5.3.0 Pro$@CG$C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-SEVL3E$TLS Off$TLS On $TUF$XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G$BG
                                      • API String ID: 524882891-4969701
                                      • Opcode ID: f55b36db8c9c5c8a51566e91d6f3a9836b766cc520abf14722897958e7ad32cd
                                      • Instruction ID: a0bb0b13232d9f5991351636829aab2dda2428bc81dc0b9639db3628de0ead2f
                                      • Opcode Fuzzy Hash: f55b36db8c9c5c8a51566e91d6f3a9836b766cc520abf14722897958e7ad32cd
                                      • Instruction Fuzzy Hash: 58524E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D
                                      Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • Sleep.KERNEL32(00001388), ref: 00409E62
                                        • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                        • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                        • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                        • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                      • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                      • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                        • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                      • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                      • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                      • API String ID: 3795512280-3163867910
                                      • Opcode ID: 478d1cbae2b352f7a85ddd3b94cb29f0f84926477ce6454f32d463d399d219e0
                                      • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                                      • Opcode Fuzzy Hash: 478d1cbae2b352f7a85ddd3b94cb29f0f84926477ce6454f32d463d399d219e0
                                      • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A
                                      Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000000FF,00475B70,?,?,00000000,00475B70,004017F3), ref: 004047FD
                                      • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404808
                                      • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404811
                                      • closesocket.WS2_32(?), ref: 0040481F
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 00404856
                                      • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404867
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 0040486E
                                      • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404880
                                      • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404885
                                      • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 0040488A
                                      • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404895
                                      • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 0040489A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                      • String ID:
                                      • API String ID: 3658366068-0
                                      • Opcode ID: 064d6b1f915996a70041b40538a6eeea030a706771223880b65586d948e925f6
                                      • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                                      • Opcode Fuzzy Hash: 064d6b1f915996a70041b40538a6eeea030a706771223880b65586d948e925f6
                                      • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48
                                      Function 0040A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 0040A456
                                      • Sleep.KERNEL32(000001F4), ref: 0040A461
                                      • GetForegroundWindow.USER32 ref: 0040A467
                                      • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                      • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                      • Sleep.KERNEL32(000003E8), ref: 0040A574
                                        • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                      • String ID: [${ User has been idle for $ minutes }$]
                                      • API String ID: 911427763-3954389425
                                      • Opcode ID: 547a7cfd8ecb315c382de053530a614a00025319d5b4f46ac54375dc0518001e
                                      • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                                      • Opcode Fuzzy Hash: 547a7cfd8ecb315c382de053530a614a00025319d5b4f46ac54375dc0518001e
                                      • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F
                                      Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1119 40c89e-40c8c3 call 401e52 1122 40c8c9 1119->1122 1123 40c9ed-40ca13 call 401e07 GetLongPathNameW call 403b40 1119->1123 1124 40c8d0-40c8d5 1122->1124 1125 40c9c2-40c9c7 1122->1125 1126 40c905-40c90a 1122->1126 1127 40c9d8 1122->1127 1128 40c9c9-40c9ce call 43ac0f 1122->1128 1129 40c8da-40c8e8 call 41a74b call 401e18 1122->1129 1130 40c8fb-40c900 1122->1130 1131 40c9bb-40c9c0 1122->1131 1132 40c90f-40c916 call 41b15b 1122->1132 1149 40ca18-40ca85 call 403b40 call 40cc37 call 402860 * 2 call 401e13 * 5 1123->1149 1134 40c9dd-40c9e2 call 43ac0f 1124->1134 1125->1134 1126->1134 1127->1134 1140 40c9d3-40c9d6 1128->1140 1152 40c8ed 1129->1152 1130->1134 1131->1134 1144 40c918-40c968 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1132->1144 1145 40c96a-40c9b6 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1132->1145 1146 40c9e3-40c9e8 call 4082d7 1134->1146 1140->1127 1140->1146 1158 40c8f1-40c8f6 call 401e13 1144->1158 1145->1152 1146->1123 1152->1158 1158->1123
                                      APIs
                                      • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LongNamePath
                                      • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                      • API String ID: 82841172-425784914
                                      • Opcode ID: f411b4bda197469a8f5fa6f0702ce682b0f23decd79daaf3752e96957329e7a7
                                      • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                                      • Opcode Fuzzy Hash: f411b4bda197469a8f5fa6f0702ce682b0f23decd79daaf3752e96957329e7a7
                                      • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F
                                      Function 0041A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                        • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                        • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                        • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                        • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                        • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                      • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CloseCurrentOpenQueryValueWow64
                                      • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                      • API String ID: 782494840-2070987746
                                      • Opcode ID: 86bbcbdce1bcc566ec4c7eb9c3f3f89489dcb65e6470f8cc487b0f9213cf0882
                                      • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                      • Opcode Fuzzy Hash: 86bbcbdce1bcc566ec4c7eb9c3f3f89489dcb65e6470f8cc487b0f9213cf0882
                                      • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE
                                      Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1290 409d97-409da7 1291 409e44-409e47 1290->1291 1292 409dad-409daf 1290->1292 1293 409db2-409dd8 call 401e07 CreateFileW 1292->1293 1296 409e18 1293->1296 1297 409dda-409de8 GetFileSize 1293->1297 1300 409e1b-409e1f 1296->1300 1298 409dea 1297->1298 1299 409e0f-409e16 CloseHandle 1297->1299 1301 409df4-409dfb 1298->1301 1302 409dec-409df2 1298->1302 1299->1300 1300->1293 1303 409e21-409e24 1300->1303 1304 409e04-409e09 Sleep 1301->1304 1305 409dfd-409dff call 40a7f0 1301->1305 1302->1299 1302->1301 1303->1291 1306 409e26-409e2d 1303->1306 1304->1299 1305->1304 1306->1291 1308 409e2f-409e3f call 4082dc call 4098a5 1306->1308 1308->1291
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                      • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                      • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                      • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleSizeSleep
                                      • String ID: `AG
                                      • API String ID: 1958988193-3058481221
                                      • Opcode ID: b0d5ab9d96485228d01e653f577d9a536d0e325b1c446dee4fcf46d6e6ae2c45
                                      • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                      • Opcode Fuzzy Hash: b0d5ab9d96485228d01e653f577d9a536d0e325b1c446dee4fcf46d6e6ae2c45
                                      • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                      Function 004126D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1312 4126d2-4126e9 RegCreateKeyA 1313 412722 1312->1313 1314 4126eb-412720 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1312->1314 1316 412724-412730 call 401eea 1313->1316 1314->1316
                                      APIs
                                      • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                      • RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                      • RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateValue
                                      • String ID: HgF$pth_unenc
                                      • API String ID: 1818849710-3662775637
                                      • Opcode ID: 1bd7bc63bfcb718f8a00b857ba0206b1347799401e36ec3cc1597cb67c32c774
                                      • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                      • Opcode Fuzzy Hash: 1bd7bc63bfcb718f8a00b857ba0206b1347799401e36ec3cc1597cb67c32c774
                                      • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                      Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      APIs
                                      • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                                      • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                                      • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 00409946
                                        • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                        • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread$LocalTimewsprintf
                                      • String ID: Offline Keylogger Started
                                      • API String ID: 465354869-4114347211
                                      • Opcode ID: 12a7e14b742792f2f7edc51aeeb20cb2f460560c35512bbf3bc1a56244271605
                                      • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                                      • Opcode Fuzzy Hash: 12a7e14b742792f2f7edc51aeeb20cb2f460560c35512bbf3bc1a56244271605
                                      • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                                      Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1344 4127d5-4127eb RegCreateKeyA 1345 412818-41281b 1344->1345 1346 4127ed-412812 RegSetValueExA RegCloseKey 1344->1346 1346->1345 1347 412814-412817 1346->1347
                                      APIs
                                      • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                      • RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                      • RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateValue
                                      • String ID: TUF
                                      • API String ID: 1818849710-3431404234
                                      • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                      • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                      • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                      • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                      Function 0041B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                      Download Yara Rule

                                      Control-flow Graph

                                      • Executed
                                      • Not Executed
                                      control_flow_graph 1348 41b58f-41b5a0 1349 41b5a2-41b5a5 1348->1349 1350 41b5b8-41b5bf 1348->1350 1351 41b5a7-41b5ac 1349->1351 1352 41b5ae-41b5b6 1349->1352 1353 41b5c0-41b5d9 CreateFileW 1350->1353 1351->1353 1352->1353 1354 41b5db-41b5dd 1353->1354 1355 41b5df-41b5e4 1353->1355 1358 41b614-41b619 1354->1358 1356 41b5f6-41b607 WriteFile 1355->1356 1357 41b5e6-41b5f4 SetFilePointer 1355->1357 1359 41b60b-41b612 CloseHandle 1356->1359 1360 41b609 1356->1360 1357->1356 1357->1359 1359->1358 1360->1359
                                      APIs
                                      • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                      • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5EB
                                      • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B5FF
                                      • CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B60C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandlePointerWrite
                                      • String ID:
                                      • API String ID: 3604237281-0
                                      • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                      • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                                      • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                      • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                                      Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                      • GetLastError.KERNEL32 ref: 0040BEF1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateErrorLastMutex
                                      • String ID: Rmc-SEVL3E
                                      • API String ID: 1925916568-2088500833
                                      • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                      • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                      • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                      • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                      Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                      • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                      • RegCloseKey.KERNEL32(?), ref: 0041255F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID:
                                      • API String ID: 3677997916-0
                                      • Opcode ID: 1a25bcfb25f4c61a33ed6ceb80866840e5ee7adcdacacd2e2e41860cf5e9bac8
                                      • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                      • Opcode Fuzzy Hash: 1a25bcfb25f4c61a33ed6ceb80866840e5ee7adcdacacd2e2e41860cf5e9bac8
                                      • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                      Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                      • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                      • RegCloseKey.KERNEL32(?), ref: 00412500
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID:
                                      • API String ID: 3677997916-0
                                      • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                      • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                      • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                      • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                      Function 0041246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                      • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                      • RegCloseKey.KERNEL32(?,?,?,0040B996,004660E0), ref: 004124A4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQueryValue
                                      • String ID:
                                      • API String ID: 3677997916-0
                                      • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                      • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                                      • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                      • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                                      Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _wcslen
                                      • String ID: xAG
                                      • API String ID: 176396367-2759412365
                                      • Opcode ID: 5b2808d6a420319a8e352f948dca3b51851caf84ac7e067c3f15d365214f07ca
                                      • Instruction ID: 4b5f0267b16b6d1f94f05398eea60063c36f9fdec9e789d07f1c8464d26cb595
                                      • Opcode Fuzzy Hash: 5b2808d6a420319a8e352f948dca3b51851caf84ac7e067c3f15d365214f07ca
                                      • Instruction Fuzzy Hash: 751193325002049FCB15FF66D8968EF7BA4EF64314B10453FF842622E2EF38A955CB98
                                      Function 0041BC76 Relevance: 3.0, APIs: 2, Instructions: 41windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FormatMessageA.KERNEL32(00001100,00000000,00000000,00000400,0040440B,00000000,00000000,00475B70), ref: 0041BC9E
                                      • LocalFree.KERNEL32(0040440B,0040440B,?,?,?,?,?,?,?,?,0040440B), ref: 0041BCC4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FormatFreeLocalMessage
                                      • String ID:
                                      • API String ID: 1427518018-0
                                      • Opcode ID: 13f8017497bfc80015491988e3138674ee6dd7b45e3f7669173c54548a5d5469
                                      • Instruction ID: 3eb85724c12076c4d2eca72925feb3a8121d4a7150c9d5d782cbd246f65a5107
                                      • Opcode Fuzzy Hash: 13f8017497bfc80015491988e3138674ee6dd7b45e3f7669173c54548a5d5469
                                      • Instruction Fuzzy Hash: 29F0C870B00105B6CF08A7A6DC4ADFF767DDB80305B10003FB502B21D1EE789E05D658
                                      Function 0043360D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DE7
                                        • Part of subcall function 00437BD7: RaiseException.KERNEL32(?,?,00434411,?,?,?,?,?,?,?,?,00434411,?,0046D644,0041AD75,?), ref: 00437C37
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E04
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Exception@8Throw$ExceptionRaise
                                      • String ID:
                                      • API String ID: 3476068407-0
                                      • Opcode ID: 268c4e751f198f59258c5df1bcef4ea0fc34f27caa05a39f735a57a931bd9370
                                      • Instruction ID: 1b32a2814776e74a5aaecdac66354fa275a8f3c838098619b8de34dc4906cb01
                                      • Opcode Fuzzy Hash: 268c4e751f198f59258c5df1bcef4ea0fc34f27caa05a39f735a57a931bd9370
                                      • Instruction Fuzzy Hash: 33F02B30C0020D77CB14BEA5E80699D772C4D08319F20923BB920915E1EF7CEB05858D
                                      Function 00413F9A Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • getaddrinfo.WS2_32(00000000,00000000,00000000,00471B28,00474358,00000000,00414240,00000000,00000001), ref: 00413FBC
                                      • WSASetLastError.WS2_32(00000000), ref: 00413FC1
                                        • Part of subcall function 00413E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                        • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                        • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                        • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                        • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413F27
                                        • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                        • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                        • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                      • String ID:
                                      • API String ID: 1170566393-0
                                      • Opcode ID: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                      • Instruction ID: 9c65b6197a0e8ce5e429e224625e4c370c9a1848c9e97f9a588a6d75e163472b
                                      • Opcode Fuzzy Hash: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                      • Instruction Fuzzy Hash: 4ED05B326406216FB310575D6D01FFBB5DCDFA67617150077F408D7110D6945D82C3AD
                                      Function 00446AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AllocateHeap
                                      • String ID:
                                      • API String ID: 1279760036-0
                                      • Opcode ID: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                      • Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
                                      • Opcode Fuzzy Hash: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                      • Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF
                                      Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Startup
                                      • String ID:
                                      • API String ID: 724789610-0
                                      • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                      • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                                      • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                      • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB

                                      Non-executed Functions

                                      Function 00406F06 Relevance: 48.1, APIs: 10, Strings: 17, Instructions: 849filesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEvent.KERNEL32(?,?), ref: 00406F28
                                      • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                      • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                        • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                        • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                        • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                        • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                        • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                        • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                        • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                        • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                        • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                        • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                        • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                        • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                      • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                      • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                      • DeleteFileA.KERNEL32(?), ref: 004078CC
                                        • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                        • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                        • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                      • Sleep.KERNEL32(000007D0), ref: 00407976
                                      • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                        • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                      • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$TTF$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                      • API String ID: 2918587301-184849705
                                      • Opcode ID: 37ade298292601b6bd9ed9d45fc3a7bcf2b1faa80d4aacbcc64c79336a26d8b1
                                      • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                                      • Opcode Fuzzy Hash: 37ade298292601b6bd9ed9d45fc3a7bcf2b1faa80d4aacbcc64c79336a26d8b1
                                      • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                                      Function 00405042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __Init_thread_footer.LIBCMT ref: 0040508E
                                        • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                        • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                      • __Init_thread_footer.LIBCMT ref: 004050CB
                                      • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                                      • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                                      • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                        • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                        • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                      • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                      • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                      • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                        • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                      • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                      • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                      • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                      • CloseHandle.KERNEL32 ref: 004053CD
                                      • CloseHandle.KERNEL32 ref: 004053D5
                                      • CloseHandle.KERNEL32 ref: 004053E7
                                      • CloseHandle.KERNEL32 ref: 004053EF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                      • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                                      • API String ID: 3815868655-81343324
                                      • Opcode ID: 337a49e8742ab2c01242c4b22f0744304ac18e8bf87bb2f2211614297787c81e
                                      • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                                      • Opcode Fuzzy Hash: 337a49e8742ab2c01242c4b22f0744304ac18e8bf87bb2f2211614297787c81e
                                      • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                                      Function 00410F36 Relevance: 35.2, APIs: 7, Strings: 13, Instructions: 238threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                        • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                        • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                        • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                      • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                      • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                        • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                        • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                        • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                      • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                        • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                      • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                      • String ID: 0DG$Remcos restarted by watchdog!$TTF$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                      • API String ID: 65172268-329858390
                                      • Opcode ID: 13534fb87cbc39d3247b244c893d635fc72677ab580a1e7e2fcadcea4b6fcd11
                                      • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                                      • Opcode Fuzzy Hash: 13534fb87cbc39d3247b244c893d635fc72677ab580a1e7e2fcadcea4b6fcd11
                                      • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                                      Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                      • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                      • FindClose.KERNEL32(00000000), ref: 0040B517
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$CloseFile$FirstNext
                                      • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                      • API String ID: 1164774033-3681987949
                                      • Opcode ID: 8a573f4cde42bb8974b55a1bb9849f05b01946ec243df485f40a07b19650f4e4
                                      • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                                      • Opcode Fuzzy Hash: 8a573f4cde42bb8974b55a1bb9849f05b01946ec243df485f40a07b19650f4e4
                                      • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                      Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                      • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                      • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                      • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                      • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$Close$File$FirstNext
                                      • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                      • API String ID: 3527384056-432212279
                                      • Opcode ID: e3298efea2014f122d9e4da4ca7a52805c3aaa742dc7125d16785d6f153ddc68
                                      • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                                      • Opcode Fuzzy Hash: e3298efea2014f122d9e4da4ca7a52805c3aaa742dc7125d16785d6f153ddc68
                                      • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                                      Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                      • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                      • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                        • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                        • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                        • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                      • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                      • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                      • API String ID: 726551946-3025026198
                                      • Opcode ID: c6b8a8b98bbd4d63e6190979d81124dee66bc740cd9cc34f4ffc17523aed10bc
                                      • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                                      • Opcode Fuzzy Hash: c6b8a8b98bbd4d63e6190979d81124dee66bc740cd9cc34f4ffc17523aed10bc
                                      • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                                      Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32 ref: 004159C7
                                      • EmptyClipboard.USER32 ref: 004159D5
                                      • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                      • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                      • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                      • CloseClipboard.USER32 ref: 00415A5A
                                      • OpenClipboard.USER32 ref: 00415A61
                                      • GetClipboardData.USER32(0000000D), ref: 00415A71
                                      • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                      • CloseClipboard.USER32 ref: 00415A89
                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                      • String ID:
                                      • API String ID: 3520204547-0
                                      • Opcode ID: 4a8e1bf9e51489589eed0e64b8e8dfa09910261a21e34244e6abf14547ac5879
                                      • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                                      • Opcode Fuzzy Hash: 4a8e1bf9e51489589eed0e64b8e8dfa09910261a21e34244e6abf14547ac5879
                                      • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                      Function 00418754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 0$1$2$3$4$5$6$7
                                      • API String ID: 0-3177665633
                                      • Opcode ID: b1fb05e11c356ba634f14b88ac069ae329bf2eb132947a5908c699400be529fa
                                      • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                                      • Opcode Fuzzy Hash: b1fb05e11c356ba634f14b88ac069ae329bf2eb132947a5908c699400be529fa
                                      • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797
                                      Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                      • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                      • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                      • GetKeyState.USER32(00000010), ref: 00409B5C
                                      • GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                      • ToUnicodeEx.USER32(0047414C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
                                      • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                      • ToUnicodeEx.USER32(0047414C,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                      • String ID: 8[G
                                      • API String ID: 1888522110-1691237782
                                      • Opcode ID: 925a5eb4e75251b1def6021025d6fe2bb9c2de734200d7c4e5adce8016dcfecb
                                      • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                                      • Opcode Fuzzy Hash: 925a5eb4e75251b1def6021025d6fe2bb9c2de734200d7c4e5adce8016dcfecb
                                      • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                                      Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 00406788
                                      • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Object_wcslen
                                      • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                      • API String ID: 240030777-3166923314
                                      • Opcode ID: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                      • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                                      • Opcode Fuzzy Hash: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                      • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                                      Function 004198C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                                      • GetLastError.KERNEL32 ref: 00419935
                                      • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                      • String ID:
                                      • API String ID: 3587775597-0
                                      • Opcode ID: 3a18b40fc8bca66ce2ef311a5ab80dcc0462769fed9f9a4927e242865a08ad00
                                      • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                                      • Opcode Fuzzy Hash: 3a18b40fc8bca66ce2ef311a5ab80dcc0462769fed9f9a4927e242865a08ad00
                                      • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                                      Function 004513B7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                        • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                        • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                        • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                        • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                        • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                      • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514C3
                                      • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                                      • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                                      • GetLocaleInfoW.KERNEL32(?,00001001,<D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                                      • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 00451594
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                      • String ID: <D$<D$<D
                                      • API String ID: 745075371-3495170934
                                      • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                      • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                                      • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                      • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                                      Function 0041B42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B529
                                      • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B536
                                        • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                      • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B570
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B583
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                      • String ID:
                                      • API String ID: 2341273852-0
                                      • Opcode ID: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                      • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                                      • Opcode Fuzzy Hash: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                      • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                                      Function 00418C69 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                                      • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                        • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Find$CreateFirstNext
                                      • String ID: @CG$XCG$`HG$`HG$>G
                                      • API String ID: 341183262-3780268858
                                      • Opcode ID: 3b2b17a29d5b8ce9f03d98b11b1f471cdc4e077a5779d3b490732ffa5d453203
                                      • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                                      • Opcode Fuzzy Hash: 3b2b17a29d5b8ce9f03d98b11b1f471cdc4e077a5779d3b490732ffa5d453203
                                      • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                                      Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                      • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                      • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                      • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressCloseCreateLibraryLoadProcsend
                                      • String ID: SHDeleteKeyW$Shlwapi.dll
                                      • API String ID: 2127411465-314212984
                                      • Opcode ID: d55d5ae7b00e128f15ac2c95949c632ca571f835214311a3f7fe197be550b497
                                      • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                                      • Opcode Fuzzy Hash: d55d5ae7b00e128f15ac2c95949c632ca571f835214311a3f7fe197be550b497
                                      • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                      Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                      • GetLastError.KERNEL32 ref: 0040B261
                                      Strings
                                      • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                      • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                      • [Chrome StoredLogins not found], xrefs: 0040B27B
                                      • UserProfile, xrefs: 0040B227
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteErrorFileLast
                                      • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                      • API String ID: 2018770650-1062637481
                                      • Opcode ID: 4cd32df34f682fcf287b1bbdb8b1e04e90f5886a02fc20745afa94da3ae3815b
                                      • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                                      • Opcode Fuzzy Hash: 4cd32df34f682fcf287b1bbdb8b1e04e90f5886a02fc20745afa94da3ae3815b
                                      • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                                      Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                      • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                      • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                      • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                      • GetLastError.KERNEL32 ref: 00416B02
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                      • String ID: SeShutdownPrivilege
                                      • API String ID: 3534403312-3733053543
                                      • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                      • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                      • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                      • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                      Function 00452F00 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __floor_pentium4
                                      • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                      • API String ID: 4168288129-2761157908
                                      • Opcode ID: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                      • Instruction ID: 57cc16b57fb9b80973019f24a4c29afa226e887048a240d5689d112d8919aadd
                                      • Opcode Fuzzy Hash: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                      • Instruction Fuzzy Hash: 08C26F72D046288FDB25CE28DD407EAB7B5EB44346F1441EBD84DE7242E778AE898F44
                                      Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 004089AE
                                        • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                        • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                      • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                        • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                        • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                        • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,00475B70,?,?,00000000,00475B70,004017F3), ref: 004047FD
                                        • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404808
                                        • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404811
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                      • String ID:
                                      • API String ID: 4043647387-0
                                      • Opcode ID: ee0780a88fd9297620b49bb59274a10587c6a93ca7e271978843c6db32b648ea
                                      • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                                      • Opcode Fuzzy Hash: ee0780a88fd9297620b49bb59274a10587c6a93ca7e271978843c6db32b648ea
                                      • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                                      Function 00419BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                                      • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ManagerStart
                                      • String ID:
                                      • API String ID: 276877138-0
                                      • Opcode ID: 6d0f589b7f4ed5c193fffaa70fef351a53496163331b96a9b3d3840ad54bf661
                                      • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                                      • Opcode Fuzzy Hash: 6d0f589b7f4ed5c193fffaa70fef351a53496163331b96a9b3d3840ad54bf661
                                      • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                                      Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                        • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                        • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                        • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                        • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                      • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                      • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                      • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                      • String ID: PowrProf.dll$SetSuspendState
                                      • API String ID: 1589313981-1420736420
                                      • Opcode ID: edc00706272dc8694fa210cddba580f6438878c4cc72cf4b9022d3c1a848817e
                                      • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                                      • Opcode Fuzzy Hash: edc00706272dc8694fa210cddba580f6438878c4cc72cf4b9022d3c1a848817e
                                      • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                                      Function 004511E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 0045127C
                                      • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 004512A5
                                      • GetACP.KERNEL32(?,?,00451502,?,00000000), ref: 004512BA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID: ACP$OCP
                                      • API String ID: 2299586839-711371036
                                      • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                      • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                                      • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                      • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                                      Function 0041A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                      Download Yara Rule
                                      APIs
                                      • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
                                      • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                                      • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                                      • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Resource$FindLoadLockSizeof
                                      • String ID: SETTINGS
                                      • API String ID: 3473537107-594951305
                                      • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                      • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                                      • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                      • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                                      Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00407A91
                                      • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                      • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Find$File$CloseFirstH_prologNext
                                      • String ID:
                                      • API String ID: 1157919129-0
                                      • Opcode ID: 46eaf1de8721050399aceeeffa6b8ddb07bc60cda3e18ddf1bef56fed7617948
                                      • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                                      • Opcode Fuzzy Hash: 46eaf1de8721050399aceeeffa6b8ddb07bc60cda3e18ddf1bef56fed7617948
                                      • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                                      Function 0044800F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                      • _free.LIBCMT ref: 00448067
                                        • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                        • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                      • _free.LIBCMT ref: 00448233
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                      • String ID:
                                      • API String ID: 1286116820-0
                                      • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                      • Instruction ID: adcac59616ce0bf4d9b6f5e4feac4fc1c4b096f081e8a0f87c9a15d47e4c4f65
                                      • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                      • Instruction Fuzzy Hash: 13510B719002099BE714DF69DC819AFB7BCEF41354F10456FE454A32A1EF389E46CB58
                                      Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                      • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                      Strings
                                      • open, xrefs: 0040622E
                                      • C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe, xrefs: 0040627F, 004063A7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DownloadExecuteFileShell
                                      • String ID: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe$open
                                      • API String ID: 2825088817-114274137
                                      • Opcode ID: 719a99942f8ec86913706a6d087c9e1765365243820f9c759ce4d379639c345b
                                      • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                                      • Opcode Fuzzy Hash: 719a99942f8ec86913706a6d087c9e1765365243820f9c759ce4d379639c345b
                                      • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                                      Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                      • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileFind$FirstNextsend
                                      • String ID: x@G$x@G
                                      • API String ID: 4113138495-3390264752
                                      • Opcode ID: 78527834d5967a8305f521ec04368930b73d07c6febb1a3811bdf86b1f9949ed
                                      • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                                      • Opcode Fuzzy Hash: 78527834d5967a8305f521ec04368930b73d07c6febb1a3811bdf86b1f9949ed
                                      • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                      Function 0041BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                      • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                        • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                        • Part of subcall function 004126D2: RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                        • Part of subcall function 004126D2: RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateInfoParametersSystemValue
                                      • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                      • API String ID: 4127273184-3576401099
                                      • Opcode ID: 3d360fdf2e78990b0619b3c2804760803c56fcbcebbcac8b827f4f8c51bc1c9b
                                      • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                                      • Opcode Fuzzy Hash: 3d360fdf2e78990b0619b3c2804760803c56fcbcebbcac8b827f4f8c51bc1c9b
                                      • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                                      Function 00450A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                        • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                        • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                        • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                      • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443CF3,?,?,?,?,?,?,00000004), ref: 00450B61
                                      • _wcschr.LIBVCRUNTIME ref: 00450BF1
                                      • _wcschr.LIBVCRUNTIME ref: 00450BFF
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443CF3,00000000,00443E13), ref: 00450CA2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                      • String ID:
                                      • API String ID: 4212172061-0
                                      • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                      • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                                      • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                      • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                                      Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 00408DAC
                                      • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                      • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileFind$FirstH_prologNext
                                      • String ID:
                                      • API String ID: 301083792-0
                                      • Opcode ID: d6cdaf8c499078e499f84ffb3e77f4738ec248ef72dde797b3892744a407d8f9
                                      • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                                      • Opcode Fuzzy Hash: d6cdaf8c499078e499f84ffb3e77f4738ec248ef72dde797b3892744a407d8f9
                                      • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                                      Function 00450E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                        • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                        • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                        • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                        • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                        • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorInfoLastLocale$_free$_abort
                                      • String ID:
                                      • API String ID: 2829624132-0
                                      • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                      • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                                      • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                      • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                                      Function 0043A65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 0043A755
                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 0043A75F
                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 0043A76C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                      • String ID:
                                      • API String ID: 3906539128-0
                                      • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                      • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                                      • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                      • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                                      Function 0043293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
                                      • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
                                      • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Crypt$Context$AcquireRandomRelease
                                      • String ID:
                                      • API String ID: 1815803762-0
                                      • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                      • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                                      • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                      • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                                      Function 00442554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 00442575
                                      • TerminateProcess.KERNEL32(00000000,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 0044257C
                                      • ExitProcess.KERNEL32 ref: 0044258E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CurrentExitTerminate
                                      • String ID:
                                      • API String ID: 1703294689-0
                                      • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                      • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                                      • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                      • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                                      Function 0041ACC1 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150C3,00000000), ref: 0041ACCC
                                      • NtSuspendProcess.NTDLL(00000000), ref: 0041ACD9
                                      • CloseHandle.KERNEL32(00000000,?,?,004150C3,00000000), ref: 0041ACE2
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CloseHandleOpenSuspend
                                      • String ID:
                                      • API String ID: 1999457699-0
                                      • Opcode ID: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                      • Instruction ID: f0940f0a464cb9da12e036c8bcda16370f3965740af83b573a45ae51f9acba0f
                                      • Opcode Fuzzy Hash: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                      • Instruction Fuzzy Hash: E7D0A733605131638221176A7C0CC87EE6CDFC1EB37024136F404C3220DA30C84186F4
                                      Function 0041ACED Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150E8,00000000), ref: 0041ACF8
                                      • NtResumeProcess.NTDLL(00000000), ref: 0041AD05
                                      • CloseHandle.KERNEL32(00000000,?,?,004150E8,00000000), ref: 0041AD0E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CloseHandleOpenResume
                                      • String ID:
                                      • API String ID: 3614150671-0
                                      • Opcode ID: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                      • Instruction ID: b64f47c6af987b25b68fadd97e6a7e629856a7b738c344dffca8a71896aa998e
                                      • Opcode Fuzzy Hash: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                      • Instruction Fuzzy Hash: DFD0A733504132638220176A7C0CC87EDADDFC5EB37024236F404C3621DA34C841C6F4
                                      Function 0044D5E9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: .
                                      • API String ID: 0-248832578
                                      • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                      • Instruction ID: db76f937e81630575b2700384d205b0ac401e8f874fa32e43cac1aabc581782c
                                      • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                      • Instruction Fuzzy Hash: CB310471900209AFEB249E79CC84EEB7BBDDB86318F1101AEF91897251E6389D458B64
                                      Function 00450D42 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                        • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                        • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                        • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                      • EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,<D,?,00451497,00000000,?,?,?), ref: 00450DB4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID: <D
                                      • API String ID: 1084509184-3866323178
                                      • Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                      • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                                      • Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                      • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                                      Function 00450DDD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                        • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                        • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                        • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                      • EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,<D,?,0045145B,<D,?,?,?,?,?,00443CEC,?,?), ref: 00450E29
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID: <D
                                      • API String ID: 1084509184-3866323178
                                      • Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                      • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                                      • Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                      • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                                      Function 00447597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID: GetLocaleInfoEx
                                      • API String ID: 2299586839-2904428671
                                      • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                      • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                                      • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                      • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                                      Function 00440E20 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                      • Instruction ID: cffdc6bb8eb20f5336ace8b102e865ec7dcfb2cf624fb46ac032ba80a60d6a90
                                      • Opcode Fuzzy Hash: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                      • Instruction Fuzzy Hash: 8A024C71E002199BEF14CFA9C9806AEBBF1FF88314F25826AD919E7350D735AD45CB84
                                      Function 004520D2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004520CD,?,?,00000008,?,?,00455412,00000000), ref: 004522FF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionRaise
                                      • String ID:
                                      • API String ID: 3997070919-0
                                      • Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                      • Instruction ID: 47108b7899804ebb5d40a9255b8f0d240b678f8396b787326aeb691ef157153f
                                      • Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                      • Instruction Fuzzy Hash: C0B18F351106089FD715CF28C586B567BE0FF06325F29869AEC99CF3A2C379E986CB44
                                      Function 00432A49 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 0
                                      • API String ID: 0-4108050209
                                      • Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                      • Instruction ID: f72c02501a8b687524d4eed2bba9748ce27a8789a4669d3223b659a6f876a8a8
                                      • Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                      • Instruction Fuzzy Hash: 8002B3727083004BD714DF39D95272EF3E2AFCC758F15492EF499AB391DA78A8058A4A
                                      Function 004510BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                        • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                        • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                        • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                        • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                        • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                      • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free$InfoLocale_abort
                                      • String ID:
                                      • API String ID: 1663032902-0
                                      • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                      • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                                      • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                      • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                                      Function 004512EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                        • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                        • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                        • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                      • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$InfoLocale_abort_free
                                      • String ID:
                                      • API String ID: 2692324296-0
                                      • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                      • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                                      • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                      • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                                      Function 004470AE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(-00471558,?,0044225B,00000000,0046DAC0,0000000C,00442216,0000000A,?,?,00448739,0000000A,?,00446F74,00000001,00000364), ref: 00444ADB
                                      • EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 004470E6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalEnterEnumLocalesSectionSystem
                                      • String ID:
                                      • API String ID: 1272433827-0
                                      • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                      • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                                      • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                      • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                                      Function 00450CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                        • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                        • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                        • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                      • EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,004514B9,<D,?,?,?,?,?,00443CEC,?,?,?), ref: 00450D2E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                      • String ID:
                                      • API String ID: 1084509184-0
                                      • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                      • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                                      • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                      • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                                      Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InfoLocale
                                      • String ID:
                                      • API String ID: 2299586839-0
                                      • Opcode ID: 2f0bd58ff2c46692be8fd04023cab22914861fe3b087e1ba55e03f3e1b92ba33
                                      • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                      • Opcode Fuzzy Hash: 2f0bd58ff2c46692be8fd04023cab22914861fe3b087e1ba55e03f3e1b92ba33
                                      • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                      Function 004260F7 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: recv
                                      • String ID:
                                      • API String ID: 1507349165-0
                                      • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                      • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                      • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                      • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                      Function 00433CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                      Download Yara Rule
                                      APIs
                                      • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExceptionFilterUnhandled
                                      • String ID:
                                      • API String ID: 3192549508-0
                                      • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                      • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                                      • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                      • Instruction Fuzzy Hash:
                                      Function 0043CE3B Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: BG3i@
                                      • API String ID: 0-2407888476
                                      • Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                      • Instruction ID: a817909710d0090f483bb13cdd1d1ee80d6dfae79024daed79820ace932836b2
                                      • Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                      • Instruction Fuzzy Hash: E361777160070966DA385A2858D6BBF6396EB0DB04F10391BE943FF3C1D61DAD43874E
                                      Function 0043CC0C Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 0
                                      • API String ID: 0-4108050209
                                      • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                      • Instruction ID: e47b97b21f836cd03f295ee90de6feb37cae4df0254a032430ab3cefd666e269
                                      • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                      • Instruction Fuzzy Hash: C851AC3160070457DF388A6985DA7BF6B959B0E700F18352FE48AFB382C60DED02979E
                                      Function 00426E73 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: @
                                      • API String ID: 0-2766056989
                                      • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                      • Instruction ID: 4dd25ef8aece06dcbd44762d080e1d81d96ea4c89eb3931c7e752ffea448aa68
                                      • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                      • Instruction Fuzzy Hash: 99417576A083158FC314CE29D18021BFBE1FBC8300F568A2EF99693350D679E980CB86
                                      Function 0044E92E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: HeapProcess
                                      • String ID:
                                      • API String ID: 54951025-0
                                      • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                      • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                      • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                      • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                      Function 0044C739 Relevance: .6, Instructions: 637COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                      • Instruction ID: 1fbb2d6a6e610910e1865e113166bba559d0ad1400e2c5ed2b94208389d41108
                                      • Opcode Fuzzy Hash: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                      • Instruction Fuzzy Hash: 4E323621D2AF014DE7639634C862336A649AFB73C5F19D737F81AB5AA6EB2CC4C34105
                                      Function 0041E5DF Relevance: .6, Instructions: 606COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                      • Instruction ID: 2a34495ee4f42e5442afe8381c33b9994a027dd0bc8bc0cc3fe6fc4803c66e78
                                      • Opcode Fuzzy Hash: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                      • Instruction Fuzzy Hash: 9732C1796087469BD714DF2AC4807ABB7E1BF84304F444A2EFC958B381D778DD858B8A
                                      Function 004267CB Relevance: .4, Instructions: 437COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                      • Instruction ID: 022d1978040d43b7ea9bbfc0a41ffb8b00617051ae00cac38c3f572af68edcce
                                      • Opcode Fuzzy Hash: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                      • Instruction Fuzzy Hash: 0D028F717046518FD318CF2EE880536B7E1AF8E301B46863EE585C7395EB74E922CB95
                                      Function 00426254 Relevance: .4, Instructions: 377COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                      • Instruction ID: dd4ce2a6fae4266494c2f053a510589cf36d02151b1693af83bcfdcd1697f2cb
                                      • Opcode Fuzzy Hash: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                      • Instruction Fuzzy Hash: 55F13B716142548FC314DF1DE89187BB3E0EB8A301B460A2EF5C2D7392DB78E91ADB56
                                      Function 00431377 Relevance: .4, Instructions: 371COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                      • Instruction ID: a134442df30985c3d9ded0ed06b90328dea8838589cb671b1bd0994677c35241
                                      • Opcode Fuzzy Hash: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                      • Instruction Fuzzy Hash: 60D1A171A083158BC721DE29C88096FB7E4FFD8354F446A2EF88597361EB38DD058B86
                                      Function 0041D071 Relevance: .3, Instructions: 276COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
                                      • Instruction ID: 86422b113df266cbb8d28aa4d41e6099a1760efb4c6ea83322c03ecd969c618c
                                      • Opcode Fuzzy Hash: 1d5f87b89f6cc3a45a9bf331663a41d894a757e8db0ddd404c7656d5df1518eb
                                      • Instruction Fuzzy Hash: 46B1817951429A8ACB05EF28C4913F63BA1EF6A300F4851B9EC9CCF757D3399506EB24
                                      Function 00436A8D Relevance: .3, Instructions: 254COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                      • Instruction ID: c2ccfb52f11e3b3b259396a7657262a28929e77abe156aeb413db61674ad6f9a
                                      • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                      • Instruction Fuzzy Hash: EB91C8722080A319DB2D463E847403FFFE19A563A1B1BA79FD4F2CB2C5EE18D564D624
                                      Function 00436D48 Relevance: .2, Instructions: 244COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                      • Instruction ID: 4bc7a19b78b3923bd294324807b23a5e70e392b11aa895e474023c0768c286cc
                                      • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                      • Instruction Fuzzy Hash: 1C91B6762080A35ADB2D463AC43403FFFE15A563A1B1B979FD4F2CB2C5EE18C568D624
                                      Function 004367C6 Relevance: .2, Instructions: 240COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                      • Instruction ID: 8cd81e8b6c8cb135a2d00aee0b4681899237c427d703fcd1ed6b13232f465ad6
                                      • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                      • Instruction Fuzzy Hash: 439195722090A35ADB2D463D843403FFFE15E5A3A1B1B979FD4F2CB2C5EE28C5649624
                                      Function 0043D098 Relevance: .2, Instructions: 237COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                      • Instruction ID: 3f92c48b0efc6548e9d2ace3e3fdbc0fca8b075b553eb95927f683fa27391a83
                                      • Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                      • Instruction Fuzzy Hash: A4613471E0070867DE385928B896BBF23A8AB0D708F24755BE942DB381D65DDD43C24E
                                      Function 0043651C Relevance: .2, Instructions: 232COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                      • Instruction ID: b40c52ae0115b4061fe2d1036eda9829452ee7622c5651f608d151b30f65a328
                                      • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                      • Instruction Fuzzy Hash: B081C4722090A319DB2D463E843403FFFE15A563A5B1BA7AFD4F2CB2C5EE18C5649624
                                      Function 0043C9DD Relevance: .2, Instructions: 214COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                      • Instruction ID: 61f6cd4e2a94a36a6652522188f48ed2bcd63c305fdb574287b7df62abf21a4e
                                      • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                      • Instruction Fuzzy Hash: BB51677170460D9BDB34E96894E77BFA3899B0E344F18350BD882B7382D60CED02939E
                                      Function 00426FAD Relevance: .2, Instructions: 186COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                      • Instruction ID: 42e819d74c2f676ea4fb49a2469d6a41ac5eaf2d1859dcf64078451750f97267
                                      • Opcode Fuzzy Hash: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                      • Instruction Fuzzy Hash: 49614E32A083119FC308DF35E581A5BB7E5FFDC718F550E1EF48996151E674EA088B8A
                                      Function 00437150 Relevance: .1, Instructions: 76COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                      • Instruction ID: d77b428d8deff70f46db9a150fef47e19855adfe796a652afc1ecdf390514463
                                      • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                      • Instruction Fuzzy Hash: D1110BF724C18143EE74862DD8B46B7A795EACE320F2C636BD0C14B758D52A99459908
                                      Function 00417F9F Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 324windowmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
                                      • CreateCompatibleDC.GDI32(00000000), ref: 00417FC4
                                        • Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482
                                      • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
                                      • DeleteDC.GDI32(?), ref: 0041805D
                                      • DeleteDC.GDI32(00000000), ref: 00418060
                                      • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                                      • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                                      • GetCursorInfo.USER32(?), ref: 004180B5
                                      • GetIconInfo.USER32(?,?), ref: 004180CB
                                      • DeleteObject.GDI32(?), ref: 004180FA
                                      • DeleteObject.GDI32(?), ref: 00418107
                                      • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                                      • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                                      • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                                      • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                                      • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                                      • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                                      • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                                      • DeleteDC.GDI32(?), ref: 0041827F
                                      • DeleteDC.GDI32(00000000), ref: 00418282
                                      • DeleteObject.GDI32(00000000), ref: 00418285
                                      • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                                      • DeleteObject.GDI32(00000000), ref: 00418344
                                      • GlobalFree.KERNEL32(?), ref: 0041834B
                                      • DeleteDC.GDI32(?), ref: 0041835B
                                      • DeleteDC.GDI32(00000000), ref: 00418366
                                      • DeleteDC.GDI32(?), ref: 00418398
                                      • DeleteDC.GDI32(00000000), ref: 0041839B
                                      • DeleteObject.GDI32(?), ref: 004183A1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
                                      • String ID: DISPLAY
                                      • API String ID: 1352755160-865373369
                                      • Opcode ID: 1713e221986eac5e09055e201b2983f957a8c2628f8d93144efb6ff1e3dc8593
                                      • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                                      • Opcode Fuzzy Hash: 1713e221986eac5e09055e201b2983f957a8c2628f8d93144efb6ff1e3dc8593
                                      • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A
                                      Function 00417245 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 290libraryloaderthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                      • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                      • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                      • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                      • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                      • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                      • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                      • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                      • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                      • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                      • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                      • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                      • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                      • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                      • ResumeThread.KERNEL32(?), ref: 00417582
                                      • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                      • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                      • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                      • GetLastError.KERNEL32 ref: 004175C7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                      • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`Wu$ntdll
                                      • API String ID: 4188446516-529412701
                                      • Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                      • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                                      • Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                      • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A
                                      Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                      • ExitProcess.KERNEL32 ref: 0041151D
                                        • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                        • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                        • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D
                                        • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                      • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                      • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                        • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                        • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                        • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                      • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                      • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                      • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                      • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                        • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5EB
                                        • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B5FF
                                        • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B60C
                                      • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                      • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                      • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                      • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                        • Part of subcall function 0041B58F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                      • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                      • API String ID: 4250697656-2665858469
                                      • Opcode ID: 7f1ed21a8f9ec2c6bc20c89f454dfa14423f7449cf21d358318308e86ee4bfa1
                                      • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                                      • Opcode Fuzzy Hash: 7f1ed21a8f9ec2c6bc20c89f454dfa14423f7449cf21d358318308e86ee4bfa1
                                      • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                      Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                        • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                      • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                        • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                        • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                        • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                        • Part of subcall function 0041B58F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                      • ExitProcess.KERNEL32 ref: 0040C63E
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                      • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                      • API String ID: 1861856835-3168347843
                                      • Opcode ID: 65ab949301b5b3d8639a32b56c5dc78fae3f7335a75fc2ee329a3fe9e499b150
                                      • Instruction ID: c8b5e11b4abf5c95f8ab28b2bb359051ef64700817c412cd349ec45860bdb676
                                      • Opcode Fuzzy Hash: 65ab949301b5b3d8639a32b56c5dc78fae3f7335a75fc2ee329a3fe9e499b150
                                      • Instruction Fuzzy Hash: EB9175316042005AC314FB25D852ABF7799AF91718F10453FF98A631E2EF7CAD49C69E
                                      Function 0041A1BB Relevance: 42.2, APIs: 12, Strings: 12, Instructions: 180synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                                      • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                                      • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                                      • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
                                      • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                                      • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                                      • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                                      • SetEvent.KERNEL32 ref: 0041A38A
                                      • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                                      • CloseHandle.KERNEL32 ref: 0041A3AB
                                      • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                                      • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                      • String ID: alias audio$" type $TUF$close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                      • API String ID: 738084811-2745919808
                                      • Opcode ID: bedb79d6b777c24a058fb07aaadb0652bc7d041f343cfefae731751c07e31b37
                                      • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                                      • Opcode Fuzzy Hash: bedb79d6b777c24a058fb07aaadb0652bc7d041f343cfefae731751c07e31b37
                                      • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                                      Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                        • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                      • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                      • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                      • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                        • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                        • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                        • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                        • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,75573530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                      • ExitProcess.KERNEL32 ref: 0040C287
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                      • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                      • API String ID: 3797177996-1998216422
                                      • Opcode ID: 370c10820b093f14fed5df3d00b46a5de93c8f0b8d673d9fb6d6526132f7967a
                                      • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                                      • Opcode Fuzzy Hash: 370c10820b093f14fed5df3d00b46a5de93c8f0b8d673d9fb6d6526132f7967a
                                      • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E
                                      Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                      • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                      • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                      • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                      • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                      • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                      • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                      • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                      • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                      • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                      • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                      • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$Write$Create
                                      • String ID: RIFF$WAVE$data$fmt
                                      • API String ID: 1602526932-4212202414
                                      • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                      • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                      • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                      • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                      Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe,00000001,004068B2,C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                      • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                      • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                      • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                      • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                      • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                      • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                      • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressHandleModuleProc
                                      • String ID: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                      • API String ID: 1646373207-1743178132
                                      • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                      • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                      • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                      • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                      Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • _wcslen.LIBCMT ref: 0040BC75
                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                      • CopyFileW.KERNEL32(C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                      • _wcslen.LIBCMT ref: 0040BD54
                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                      • CopyFileW.KERNEL32(C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe,00000000,00000000), ref: 0040BDF2
                                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                      • _wcslen.LIBCMT ref: 0040BE34
                                      • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                      • ExitProcess.KERNEL32 ref: 0040BED0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                      • String ID: 6$C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe$del$open$BG$BG
                                      • API String ID: 1579085052-342114948
                                      • Opcode ID: 3074b94dd0db5ede3fe92545a612de18a9a35f6e419f75cb91ba7ed246302fb8
                                      • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                                      • Opcode Fuzzy Hash: 3074b94dd0db5ede3fe92545a612de18a9a35f6e419f75cb91ba7ed246302fb8
                                      • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                                      Function 0041B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • lstrlenW.KERNEL32(?), ref: 0041B1D6
                                      • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                                      • lstrlenW.KERNEL32(?), ref: 0041B207
                                      • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                                      • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                                      • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                                      • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                                      • _wcslen.LIBCMT ref: 0041B2DB
                                      • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                                      • GetLastError.KERNEL32 ref: 0041B313
                                      • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                                      • lstrcatW.KERNEL32(?,?), ref: 0041B359
                                      • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                                      • GetLastError.KERNEL32 ref: 0041B370
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                      • String ID: ?
                                      • API String ID: 3941738427-1684325040
                                      • Opcode ID: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                      • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                                      • Opcode Fuzzy Hash: d489e3e95fd4da7a256b353d04e65c95c699bf3c253225e66008eb700c534145
                                      • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                                      Function 0044E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$EnvironmentVariable$_wcschr
                                      • String ID:
                                      • API String ID: 3899193279-0
                                      • Opcode ID: 6267e3def292f84dd9e33adbac7387806370fb3e846e7c9bec72720c454fd2de
                                      • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                                      • Opcode Fuzzy Hash: 6267e3def292f84dd9e33adbac7387806370fb3e846e7c9bec72720c454fd2de
                                      • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                                      Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                        • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,75573530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                        • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                        • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                      • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                      • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                      • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                      • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                      • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                      • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                      • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                      • Sleep.KERNEL32(00000064), ref: 00412060
                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                      • String ID: /stext "$HDG$HDG$>G$>G
                                      • API String ID: 1223786279-3931108886
                                      • Opcode ID: cf142be46e054684403749ee3d900e93ccf570b5fe7ca0618ab2844ecc70b16a
                                      • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                                      • Opcode Fuzzy Hash: cf142be46e054684403749ee3d900e93ccf570b5fe7ca0618ab2844ecc70b16a
                                      • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A
                                      Function 0041CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAE9
                                      • GetCursorPos.USER32(?), ref: 0041CAF8
                                      • SetForegroundWindow.USER32(?), ref: 0041CB01
                                      • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                                      • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB6C
                                      • ExitProcess.KERNEL32 ref: 0041CB74
                                      • CreatePopupMenu.USER32 ref: 0041CB7A
                                      • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                      • String ID: Close
                                      • API String ID: 1657328048-3535843008
                                      • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                      • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                                      • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                      • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                                      Function 00444F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$Info
                                      • String ID:
                                      • API String ID: 2509303402-0
                                      • Opcode ID: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                      • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                                      • Opcode Fuzzy Hash: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                      • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                                      Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                      • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                      • __aulldiv.LIBCMT ref: 00407FE9
                                      • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                      • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                      • CloseHandle.KERNEL32(00000000), ref: 00408200
                                      • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                      • CloseHandle.KERNEL32(00000000), ref: 00408256
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                      • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                      • API String ID: 1884690901-3066803209
                                      • Opcode ID: 5c237be89f099d87d01b885cf0a422b96e171a015a81bb39f6c8daf5f6e0c82b
                                      • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                                      • Opcode Fuzzy Hash: 5c237be89f099d87d01b885cf0a422b96e171a015a81bb39f6c8daf5f6e0c82b
                                      • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                                      Function 00413E37 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                      • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                      • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                      • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                      • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                      • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                      • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                      • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                      • String ID: \ws2_32$\wship6$getaddrinfo
                                      • API String ID: 2490988753-3078833738
                                      • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                      • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                                      • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                      • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                                      Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___free_lconv_mon.LIBCMT ref: 004500B1
                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                        • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                                      • _free.LIBCMT ref: 004500A6
                                        • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                        • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                      • _free.LIBCMT ref: 004500C8
                                      • _free.LIBCMT ref: 004500DD
                                      • _free.LIBCMT ref: 004500E8
                                      • _free.LIBCMT ref: 0045010A
                                      • _free.LIBCMT ref: 0045011D
                                      • _free.LIBCMT ref: 0045012B
                                      • _free.LIBCMT ref: 00450136
                                      • _free.LIBCMT ref: 0045016E
                                      • _free.LIBCMT ref: 00450175
                                      • _free.LIBCMT ref: 00450192
                                      • _free.LIBCMT ref: 004501AA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                      • String ID:
                                      • API String ID: 161543041-0
                                      • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                      • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                                      • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                      • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                                      Function 00419128 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • __EH_prolog.LIBCMT ref: 0041912D
                                      • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                                      • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                                      • Sleep.KERNEL32(000003E8), ref: 0041926D
                                      • GetLocalTime.KERNEL32(?), ref: 0041927C
                                      • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                      • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                      • API String ID: 489098229-65789007
                                      • Opcode ID: d035b23978f635d26d413941e86b53147c054b16f8fc180901addfee223a089d
                                      • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                                      • Opcode Fuzzy Hash: d035b23978f635d26d413941e86b53147c054b16f8fc180901addfee223a089d
                                      • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                                      Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                      Download Yara Rule
                                      APIs
                                      • connect.WS2_32(?,?,?), ref: 004042A5
                                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                      • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                      • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                        • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                      • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                      • API String ID: 994465650-2151626615
                                      • Opcode ID: 60ac0c304c5624abd3eb0f5b990d7a2b8d442c90d38d14ed83455edc78695ec8
                                      • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                      • Opcode Fuzzy Hash: 60ac0c304c5624abd3eb0f5b990d7a2b8d442c90d38d14ed83455edc78695ec8
                                      • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF
                                      Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                        • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                        • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                        • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                        • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                      • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                      • ExitProcess.KERNEL32 ref: 0040C832
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                      • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                      • API String ID: 1913171305-390638927
                                      • Opcode ID: 5bb4c84d3517b3e85598af3c51efed398458d12967ae5ca6da544a86b0e32a83
                                      • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                                      • Opcode Fuzzy Hash: 5bb4c84d3517b3e85598af3c51efed398458d12967ae5ca6da544a86b0e32a83
                                      • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                      Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                      • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                                      • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                      • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                                      Function 00454982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D
                                      • GetLastError.KERNEL32 ref: 00454A96
                                      • __dosmaperr.LIBCMT ref: 00454A9D
                                      • GetFileType.KERNEL32(00000000), ref: 00454AA9
                                      • GetLastError.KERNEL32 ref: 00454AB3
                                      • __dosmaperr.LIBCMT ref: 00454ABC
                                      • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                                      • CloseHandle.KERNEL32(?), ref: 00454C26
                                      • GetLastError.KERNEL32 ref: 00454C58
                                      • __dosmaperr.LIBCMT ref: 00454C5F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                      • String ID: H
                                      • API String ID: 4237864984-2852464175
                                      • Opcode ID: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                      • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                                      • Opcode Fuzzy Hash: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                      • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                                      Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: 65535$udp
                                      • API String ID: 0-1267037602
                                      • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                      • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                                      • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                      • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                                      Function 00416E27 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 107filesynchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                      • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                      • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                      • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                      • String ID: <$@$@FG$@FG$TUF$Temp
                                      • API String ID: 1107811701-4124992407
                                      • Opcode ID: 752ca13c782d44821a1ec6be30a7add5be14379de4efd94ca99b1656ba8a68f0
                                      • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                                      • Opcode Fuzzy Hash: 752ca13c782d44821a1ec6be30a7add5be14379de4efd94ca99b1656ba8a68f0
                                      • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                      Function 00406616 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 98COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                      • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe), ref: 00406705
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CurrentProcess
                                      • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$pUF$windir$BG3i@
                                      • API String ID: 2050909247-1144799832
                                      • Opcode ID: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                      • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                                      • Opcode Fuzzy Hash: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                      • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                                      Function 00439361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                                      • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                                      • __dosmaperr.LIBCMT ref: 004393CD
                                      • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                                      • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                                      • __dosmaperr.LIBCMT ref: 0043940A
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                                      • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                                      • __dosmaperr.LIBCMT ref: 0043945E
                                      • _free.LIBCMT ref: 0043946A
                                      • _free.LIBCMT ref: 00439471
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                      • String ID:
                                      • API String ID: 2441525078-0
                                      • Opcode ID: 684e6fef7141b114c3b5ff973dde56bcea396d28ee1fdac90182f4155713f89e
                                      • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                                      • Opcode Fuzzy Hash: 684e6fef7141b114c3b5ff973dde56bcea396d28ee1fdac90182f4155713f89e
                                      • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                                      Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SetEvent.KERNEL32(?,?), ref: 00404E71
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                      • TranslateMessage.USER32(?), ref: 00404F30
                                      • DispatchMessageA.USER32(?), ref: 00404F3B
                                      • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                      • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                      • String ID: CloseChat$DisplayMessage$GetMessage
                                      • API String ID: 2956720200-749203953
                                      • Opcode ID: 52b262941cb76930fa8da6913c28a8a0820aeb3dc9364f5a769bdcd4c9ec91cf
                                      • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                                      • Opcode Fuzzy Hash: 52b262941cb76930fa8da6913c28a8a0820aeb3dc9364f5a769bdcd4c9ec91cf
                                      • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                                      Function 00419C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                                      • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: 83979f30ba13052199b290374f4e897ff0c223aa30bace9cb26b013bf86a6d8f
                                      • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                                      • Opcode Fuzzy Hash: 83979f30ba13052199b290374f4e897ff0c223aa30bace9cb26b013bf86a6d8f
                                      • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                                      Function 00446DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00446DDF
                                        • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                        • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                      • _free.LIBCMT ref: 00446DEB
                                      • _free.LIBCMT ref: 00446DF6
                                      • _free.LIBCMT ref: 00446E01
                                      • _free.LIBCMT ref: 00446E0C
                                      • _free.LIBCMT ref: 00446E17
                                      • _free.LIBCMT ref: 00446E22
                                      • _free.LIBCMT ref: 00446E2D
                                      • _free.LIBCMT ref: 00446E38
                                      • _free.LIBCMT ref: 00446E46
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                      • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                                      • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                      • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                                      Function 0041B824 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B846
                                      • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B88A
                                      • RegCloseKey.ADVAPI32(?), ref: 0041BB54
                                      Strings
                                      • DisplayName, xrefs: 0041B8D1
                                      • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041B83C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEnumOpen
                                      • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                      • API String ID: 1332880857-3614651759
                                      • Opcode ID: beee8cc8128c5b6292a52baa65063b935d7e49e28abb99bedb81eb58e8c596e1
                                      • Instruction ID: 4ca6cd9db44c7b11bab16217f2b7ba144dfc64e74838f3250c32f9e768a6938f
                                      • Opcode Fuzzy Hash: beee8cc8128c5b6292a52baa65063b935d7e49e28abb99bedb81eb58e8c596e1
                                      • Instruction Fuzzy Hash: 8C812E311082449BD324EB11DC51AEFB7E9FFD4314F10493FB58A921E1EF74AA49CA9A
                                      Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Eventinet_ntoa
                                      • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                      • API String ID: 3578746661-4192532303
                                      • Opcode ID: 0d3f72b4862548af90ea2b902a190bfca7b75d93e0c06f9e40b9838ab347fbb0
                                      • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                                      • Opcode Fuzzy Hash: 0d3f72b4862548af90ea2b902a190bfca7b75d93e0c06f9e40b9838ab347fbb0
                                      • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                                      Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                        • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                      • Sleep.KERNEL32(00000064), ref: 00416688
                                      • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CreateDeleteExecuteShellSleep
                                      • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                      • API String ID: 1462127192-2001430897
                                      • Opcode ID: 62ca92dac7a2b5d4b18e3dc3447172731693f9ef9de150acbe00dd0aa8aa71c1
                                      • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                                      • Opcode Fuzzy Hash: 62ca92dac7a2b5d4b18e3dc3447172731693f9ef9de150acbe00dd0aa8aa71c1
                                      • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                                      Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                      Download Yara Rule
                                      APIs
                                      • _strftime.LIBCMT ref: 00401AD3
                                        • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                      • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                      • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                      • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                      • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                      • API String ID: 3809562944-3643129801
                                      • Opcode ID: b8eed0d151ccb6e5a82338ef45dd5c7a6e48c5c8e1108a83b815f9cf038dc0a3
                                      • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                                      • Opcode Fuzzy Hash: b8eed0d151ccb6e5a82338ef45dd5c7a6e48c5c8e1108a83b815f9cf038dc0a3
                                      • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                                      Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                      • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                      • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                      • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                      • waveInStart.WINMM ref: 00401A81
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                      • String ID: XCG$`=G$x=G
                                      • API String ID: 1356121797-903574159
                                      • Opcode ID: df66b5dce40286873da021395106849cc9c08a1aee5ad096444ea0181d895aab
                                      • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                                      • Opcode Fuzzy Hash: df66b5dce40286873da021395106849cc9c08a1aee5ad096444ea0181d895aab
                                      • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                      Function 0041C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                        • Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                        • Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                        • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                                      • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                                      • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                                      • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9EF
                                      • TranslateMessage.USER32(?), ref: 0041C9FB
                                      • DispatchMessageA.USER32(?), ref: 0041CA05
                                      • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                      • String ID: Remcos
                                      • API String ID: 1970332568-165870891
                                      • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                      • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                                      • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                      • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                      Function 0044B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: b03e61c4093a21660133e67fc3f0c2c165a648bd703d9864a2b1dbb5c11dd296
                                      • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                                      • Opcode Fuzzy Hash: b03e61c4093a21660133e67fc3f0c2c165a648bd703d9864a2b1dbb5c11dd296
                                      • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                                      Function 00452B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BD6
                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C59
                                      • __alloca_probe_16.LIBCMT ref: 00452C91
                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E03,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CEC
                                      • __alloca_probe_16.LIBCMT ref: 00452D3B
                                      • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D03
                                        • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                      • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D7F
                                      • __freea.LIBCMT ref: 00452DAA
                                      • __freea.LIBCMT ref: 00452DB6
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                      • String ID:
                                      • API String ID: 201697637-0
                                      • Opcode ID: 33853d2748869a5bbf0e5c11ad0ba2693683b8c54e761c696d343b85774101d6
                                      • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                                      • Opcode Fuzzy Hash: 33853d2748869a5bbf0e5c11ad0ba2693683b8c54e761c696d343b85774101d6
                                      • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                                      Function 004443F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                        • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                        • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                        • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                      • _memcmp.LIBVCRUNTIME ref: 004446A3
                                      • _free.LIBCMT ref: 00444714
                                      • _free.LIBCMT ref: 0044472D
                                      • _free.LIBCMT ref: 0044475F
                                      • _free.LIBCMT ref: 00444768
                                      • _free.LIBCMT ref: 00444774
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorLast$_abort_memcmp
                                      • String ID: C
                                      • API String ID: 1679612858-1037565863
                                      • Opcode ID: 4ee3c7c2bc2adc8e7b8f5f7d65043758b13cb49f9f14cb5bf46d27c87fe2b158
                                      • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                                      • Opcode Fuzzy Hash: 4ee3c7c2bc2adc8e7b8f5f7d65043758b13cb49f9f14cb5bf46d27c87fe2b158
                                      • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                                      Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: tcp$udp
                                      • API String ID: 0-3725065008
                                      • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                      • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                                      • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                      • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                      Function 00401768 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • ExitThread.KERNEL32 ref: 004017F4
                                        • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                        • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                      • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                        • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                      • __Init_thread_footer.LIBCMT ref: 004017BC
                                        • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                        • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                      • String ID: T=G$p[G$>G$>G
                                      • API String ID: 1596592924-2461731529
                                      • Opcode ID: aeffae19d62247b8119facb1c46e767f29e703cc469e99725dcad57df9802044
                                      • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                                      • Opcode Fuzzy Hash: aeffae19d62247b8119facb1c46e767f29e703cc469e99725dcad57df9802044
                                      • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                                      Function 00412C88 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                        • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                        • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                      • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEnumInfoOpenQuerysend
                                      • String ID: TUF$TUFTUF$>G$DG$DG
                                      • API String ID: 3114080316-72097156
                                      • Opcode ID: 103aaf01797a1ebbf1e62c891f2288938d38a9adcecb4949bddfb57d7650f9a4
                                      • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                                      • Opcode Fuzzy Hash: 103aaf01797a1ebbf1e62c891f2288938d38a9adcecb4949bddfb57d7650f9a4
                                      • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                      Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                      • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                      • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                      • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                      • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                      • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                        • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                        • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                      • String ID: .part
                                      • API String ID: 1303771098-3499674018
                                      • Opcode ID: 124c633532e8600691c4108089ff1e2e84c33ce980c006a8ee94900b53e6ed61
                                      • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                                      • Opcode Fuzzy Hash: 124c633532e8600691c4108089ff1e2e84c33ce980c006a8ee94900b53e6ed61
                                      • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                                      Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                        • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                        • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                        • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                        • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                      • _wcslen.LIBCMT ref: 0041A8F6
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                      • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                      • API String ID: 3286818993-703403762
                                      • Opcode ID: d31394a1e59778cac49212debd323097d31c222899c914d30ad8a284f22ebc6c
                                      • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                                      • Opcode Fuzzy Hash: d31394a1e59778cac49212debd323097d31c222899c914d30ad8a284f22ebc6c
                                      • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                                      Function 0040B6EA Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 85COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                        • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                        • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                      • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                      • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                      • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders$TUF
                                      • API String ID: 1133728706-1738023494
                                      • Opcode ID: b37d7cdf558f6179467cfee4591f26066e84925d5771a5902107678b3115d486
                                      • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                                      • Opcode Fuzzy Hash: b37d7cdf558f6179467cfee4591f26066e84925d5771a5902107678b3115d486
                                      • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                                      Function 0041BEB0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                                      • GetConsoleWindow.KERNEL32 ref: 0041BEBF
                                      • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                      • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Console$Window$AllocOutputShow
                                      • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                      • API String ID: 4067487056-2527699604
                                      • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                      • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                                      • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                      • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                                      Function 00449950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D564,0043D564,?,?,?,00449BA1,00000001,00000001,1AE85006), ref: 004499AA
                                      • __alloca_probe_16.LIBCMT ref: 004499E2
                                      • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449BA1,00000001,00000001,1AE85006,?,?,?), ref: 00449A30
                                      • __alloca_probe_16.LIBCMT ref: 00449AC7
                                      • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                                      • __freea.LIBCMT ref: 00449B37
                                        • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                      • __freea.LIBCMT ref: 00449B40
                                      • __freea.LIBCMT ref: 00449B65
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                      • String ID:
                                      • API String ID: 3864826663-0
                                      • Opcode ID: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
                                      • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                                      • Opcode Fuzzy Hash: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
                                      • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                                      Function 00418ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • SendInput.USER32 ref: 00418B08
                                      • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                                      • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                                      • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                                      • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                                      • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                                      • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                                      • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                        • Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InputSend$Virtual
                                      • String ID:
                                      • API String ID: 1167301434-0
                                      • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                      • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                                      • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                      • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                                      Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenClipboard.USER32 ref: 00415A46
                                      • EmptyClipboard.USER32 ref: 00415A54
                                      • CloseClipboard.USER32 ref: 00415A5A
                                      • OpenClipboard.USER32 ref: 00415A61
                                      • GetClipboardData.USER32(0000000D), ref: 00415A71
                                      • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                      • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                      • CloseClipboard.USER32 ref: 00415A89
                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                      • String ID:
                                      • API String ID: 2172192267-0
                                      • Opcode ID: ff49c4b619c8d0a2384b32b470fc1757cf84f728bd461dae53594b1cdfbb7d30
                                      • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                                      • Opcode Fuzzy Hash: ff49c4b619c8d0a2384b32b470fc1757cf84f728bd461dae53594b1cdfbb7d30
                                      • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                                      Function 00447E3A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00447EBC
                                      • _free.LIBCMT ref: 00447EE0
                                      • _free.LIBCMT ref: 00448067
                                      • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                      • _free.LIBCMT ref: 00448233
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                      • String ID:
                                      • API String ID: 314583886-0
                                      • Opcode ID: 4d66406e984c604246852defaa851237a19ea919a7a16fb56f132950f37b46de
                                      • Instruction ID: d74e55ca02e924b9256a88f94e7be2aa31ce1fd8fbfcff02d88bcfbefc6cbd9d
                                      • Opcode Fuzzy Hash: 4d66406e984c604246852defaa851237a19ea919a7a16fb56f132950f37b46de
                                      • Instruction Fuzzy Hash: 32C12871904205ABFB24DF799C41AAE7BB8EF46314F2441AFE484A7351EB388E47C758
                                      Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                      • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                                      • Opcode Fuzzy Hash: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                      • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                                      Function 00443F7B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                      • _free.LIBCMT ref: 00444086
                                      • _free.LIBCMT ref: 0044409D
                                      • _free.LIBCMT ref: 004440BC
                                      • _free.LIBCMT ref: 004440D7
                                      • _free.LIBCMT ref: 004440EE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$AllocateHeap
                                      • String ID: J7D
                                      • API String ID: 3033488037-1677391033
                                      • Opcode ID: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                      • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                                      • Opcode Fuzzy Hash: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                      • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                                      Function 0044A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A105
                                      • __fassign.LIBCMT ref: 0044A180
                                      • __fassign.LIBCMT ref: 0044A19B
                                      • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1C1
                                      • WriteFile.KERNEL32(?,00000000,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
                                      • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                      • String ID:
                                      • API String ID: 1324828854-0
                                      • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                      • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                                      • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                      • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                                      Function 004559CA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID: HE$HE
                                      • API String ID: 269201875-1978648262
                                      • Opcode ID: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
                                      • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                                      • Opcode Fuzzy Hash: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
                                      • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                                      Function 0040E6A3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132processCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                        • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                      • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                      • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                        • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                        • Part of subcall function 0041B187: IsWow64Process.KERNEL32(00000000,?,?,?,00474358), ref: 0041B1A7
                                        • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                        • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                      • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                      • String ID: PgF
                                      • API String ID: 2180151492-654241383
                                      • Opcode ID: e70769d42ffb53cdc90a18aa5a86959c2d774f9c0fce08565d8f7a58d3c92881
                                      • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                                      • Opcode Fuzzy Hash: e70769d42ffb53cdc90a18aa5a86959c2d774f9c0fce08565d8f7a58d3c92881
                                      • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                                      Function 00437A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                      Download Yara Rule
                                      APIs
                                      • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                                      • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                                      • _ValidateLocalCookies.LIBCMT ref: 00437B41
                                      • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                                      • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                      • String ID: csm
                                      • API String ID: 1170836740-1018135373
                                      • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                      • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                                      • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                      • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                                      Function 00455903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: ac8429af2de8aec4c7be5426e4bb47fdde12a831901fd5511e93482c0d59407e
                                      • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                                      • Opcode Fuzzy Hash: ac8429af2de8aec4c7be5426e4bb47fdde12a831901fd5511e93482c0d59407e
                                      • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                                      Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                      • int.LIBCPMT ref: 0040FC0F
                                        • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                        • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                      • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                      • String ID: P[G
                                      • API String ID: 2536120697-571123470
                                      • Opcode ID: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                      • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                                      • Opcode Fuzzy Hash: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                      • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                                      Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                      • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                      • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                      • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                      • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                      Strings
                                      • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Internet$CloseHandleOpen$FileRead
                                      • String ID: http://geoplugin.net/json.gp
                                      • API String ID: 3121278467-91888290
                                      • Opcode ID: 73d5a9f361857d3556796ecfeaec69cbc43bb770c50fe8700ae67d2cee389403
                                      • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                      • Opcode Fuzzy Hash: 73d5a9f361857d3556796ecfeaec69cbc43bb770c50fe8700ae67d2cee389403
                                      • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6
                                      Function 0044FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                                      • _free.LIBCMT ref: 0044FD29
                                        • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                        • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                      • _free.LIBCMT ref: 0044FD34
                                      • _free.LIBCMT ref: 0044FD3F
                                      • _free.LIBCMT ref: 0044FD93
                                      • _free.LIBCMT ref: 0044FD9E
                                      • _free.LIBCMT ref: 0044FDA9
                                      • _free.LIBCMT ref: 0044FDB4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                      • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                                      • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                      • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                                      Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe), ref: 00406835
                                        • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                        • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                      • CoUninitialize.OLE32 ref: 0040688E
                                      Strings
                                      • [+] ucmCMLuaUtilShellExecMethod, xrefs: 0040681A
                                      • [+] before ShellExec, xrefs: 00406856
                                      • C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe, xrefs: 00406815, 00406818, 0040686A
                                      • [+] ShellExec success, xrefs: 00406873
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: InitializeObjectUninitialize_wcslen
                                      • String ID: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                      • API String ID: 3851391207-1145441428
                                      • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                      • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                      • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                      • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                      Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                      • int.LIBCPMT ref: 0040FEF2
                                        • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                        • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                      • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                      • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                      • String ID: H]G
                                      • API String ID: 2536120697-1717957184
                                      • Opcode ID: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                      • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                                      • Opcode Fuzzy Hash: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                      • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                                      Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                      • GetLastError.KERNEL32 ref: 0040B2EE
                                      Strings
                                      • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                      • [Chrome Cookies not found], xrefs: 0040B308
                                      • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                      • UserProfile, xrefs: 0040B2B4
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteErrorFileLast
                                      • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                      • API String ID: 2018770650-304995407
                                      • Opcode ID: affce56bb21929d7383bdb2dccb574c79b51b4180e8c74c87d019dc2b0b7a2d9
                                      • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                                      • Opcode Fuzzy Hash: affce56bb21929d7383bdb2dccb574c79b51b4180e8c74c87d019dc2b0b7a2d9
                                      • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                                      Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                      Download Yara Rule
                                      Strings
                                      • Rmc-SEVL3E, xrefs: 0040693F
                                      • BG, xrefs: 00406909
                                      • C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe, xrefs: 00406927
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe$Rmc-SEVL3E$BG
                                      • API String ID: 0-325677288
                                      • Opcode ID: d50a95e135f0bfdaf236d1bb78b8391e43d4b57b805b0d92c2bf5032378cfc05
                                      • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                      • Opcode Fuzzy Hash: d50a95e135f0bfdaf236d1bb78b8391e43d4b57b805b0d92c2bf5032378cfc05
                                      • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                      Function 00419F32 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                      • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                                      • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                                      • Sleep.KERNEL32(00002710), ref: 00419F79
                                      • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: PlaySound$HandleLocalModuleSleepTime
                                      • String ID: Alarm triggered$`Wu
                                      • API String ID: 614609389-1738255680
                                      • Opcode ID: debb84a1251a9d4f253e7d3f2da0eb81be5ea948ed7eff08d43fd7d9de811cd2
                                      • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                                      • Opcode Fuzzy Hash: debb84a1251a9d4f253e7d3f2da0eb81be5ea948ed7eff08d43fd7d9de811cd2
                                      • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                                      Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                      Download Yara Rule
                                      APIs
                                      • __allrem.LIBCMT ref: 00439789
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                                      • __allrem.LIBCMT ref: 004397BC
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                                      • __allrem.LIBCMT ref: 004397F1
                                      • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                      • String ID:
                                      • API String ID: 1992179935-0
                                      • Opcode ID: 088a2e1066119da7e611ebb0c50ba568729b81e5e50e163a33f94ab824c18df8
                                      • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                                      • Opcode Fuzzy Hash: 088a2e1066119da7e611ebb0c50ba568729b81e5e50e163a33f94ab824c18df8
                                      • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                                      Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __cftoe
                                      • String ID:
                                      • API String ID: 4189289331-0
                                      • Opcode ID: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                      • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                                      • Opcode Fuzzy Hash: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                      • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                                      Function 00446159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __freea$__alloca_probe_16
                                      • String ID: a/p$am/pm
                                      • API String ID: 3509577899-3206640213
                                      • Opcode ID: d47145a3bc1b7d9653af932916ed6ede224238620767b4a39004040ccf91a16a
                                      • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                                      • Opcode Fuzzy Hash: d47145a3bc1b7d9653af932916ed6ede224238620767b4a39004040ccf91a16a
                                      • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                                      Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • Sleep.KERNEL32(00000000), ref: 00403E8A
                                        • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: H_prologSleep
                                      • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                      • API String ID: 3469354165-462540288
                                      • Opcode ID: c06602ad5b80aab45bf926ea6107a81c7929f47509625bccb2b61e836fe0621c
                                      • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                                      • Opcode Fuzzy Hash: c06602ad5b80aab45bf926ea6107a81c7929f47509625bccb2b61e836fe0621c
                                      • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                                      Function 00419DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                                      • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                                      • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                                      • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                                      • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                      • String ID:
                                      • API String ID: 493672254-0
                                      • Opcode ID: 8d0c32570e89dd068500cd90fe1776a703b3a192111dc2e8c1051611ff5d3692
                                      • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                                      • Opcode Fuzzy Hash: 8d0c32570e89dd068500cd90fe1776a703b3a192111dc2e8c1051611ff5d3692
                                      • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                                      Function 00437E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                                      • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                                      • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                                      • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLastValue___vcrt_
                                      • String ID:
                                      • API String ID: 3852720340-0
                                      • Opcode ID: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                      • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                                      • Opcode Fuzzy Hash: 8677577c8e37d81537f7299acd8b5f5a9cc683e2404a7ed47504fd76d00458cf
                                      • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                                      Function 00446EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                      • _free.LIBCMT ref: 00446EF6
                                      • _free.LIBCMT ref: 00446F1E
                                      • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                      • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                      • _abort.LIBCMT ref: 00446F3D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free$_abort
                                      • String ID:
                                      • API String ID: 3160817290-0
                                      • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                      • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                                      • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                      • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                                      Function 00419C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                                      • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: e0442b8656df40b354effc29a53afdc585f42babe91f9aeac9dec78915b16ffb
                                      • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                                      • Opcode Fuzzy Hash: e0442b8656df40b354effc29a53afdc585f42babe91f9aeac9dec78915b16ffb
                                      • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                                      Function 00419D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                                      • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: 197637b26bbdd00f03ff7db36be43807083bab4a770c68d4e23c4aa016e90e1f
                                      • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                                      • Opcode Fuzzy Hash: 197637b26bbdd00f03ff7db36be43807083bab4a770c68d4e23c4aa016e90e1f
                                      • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                                      Function 00419D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                                      • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                                      • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                                      • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Service$CloseHandle$Open$ControlManager
                                      • String ID:
                                      • API String ID: 221034970-0
                                      • Opcode ID: e355818817006b765bc9d302ee5cf97eebc986756fff16413e45bff3808d062c
                                      • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                                      • Opcode Fuzzy Hash: e355818817006b765bc9d302ee5cf97eebc986756fff16413e45bff3808d062c
                                      • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                                      Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                      • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Enum$InfoQueryValue
                                      • String ID: [regsplt]$DG
                                      • API String ID: 3554306468-1089238109
                                      • Opcode ID: 0bdfa4b9751d6e045e73703d7cb58597d516aa462230dbbc1e67517898b41e87
                                      • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                                      • Opcode Fuzzy Hash: 0bdfa4b9751d6e045e73703d7cb58597d516aa462230dbbc1e67517898b41e87
                                      • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                                      Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                        • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                        • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                      • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                        • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                        • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                      • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                                      • API String ID: 2974294136-753205382
                                      • Opcode ID: 84d5120d1790242da64ed9a6eb1f5c34e2201cb21d83ae33a80d74a94cbf0ed8
                                      • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                                      • Opcode Fuzzy Hash: 84d5120d1790242da64ed9a6eb1f5c34e2201cb21d83ae33a80d74a94cbf0ed8
                                      • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                                      Function 0041CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                      • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                      • GetLastError.KERNEL32 ref: 0041CA91
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ClassCreateErrorLastRegisterWindow
                                      • String ID: 0$MsgWindowClass
                                      • API String ID: 2877667751-2410386613
                                      • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                      • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                                      • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                      • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                                      Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                      • CloseHandle.KERNEL32(?), ref: 00406A0F
                                      • CloseHandle.KERNEL32(?), ref: 00406A14
                                      Strings
                                      • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                      • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseHandle$CreateProcess
                                      • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                      • API String ID: 2922976086-4183131282
                                      • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                      • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                                      • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                      • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                                      Function 004425D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002), ref: 004425F9
                                      • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
                                      • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 0044262F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: AddressFreeHandleLibraryModuleProc
                                      • String ID: CorExitProcess$mscoree.dll
                                      • API String ID: 4061214504-1276376045
                                      • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                      • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                                      • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                      • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                                      Function 00412774 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
                                      • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
                                      • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseCreateValue
                                      • String ID: pth_unenc$BG
                                      • API String ID: 1818849710-2233081382
                                      • Opcode ID: 2b0b83c385fe9b11323970af50dff3bb0d924dce91bf1d9d78cbef32cf6cf5ea
                                      • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                      • Opcode Fuzzy Hash: 2b0b83c385fe9b11323970af50dff3bb0d924dce91bf1d9d78cbef32cf6cf5ea
                                      • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                      Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00475B70,0040483F,00000001,?,?,00000000,00475B70,004017F3), ref: 00404AED
                                      • SetEvent.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404AF9
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,?,00000000,00475B70,004017F3), ref: 00404B04
                                      • CloseHandle.KERNEL32(?,?,?,00000000,00475B70,004017F3), ref: 00404B0D
                                        • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                      • String ID: KeepAlive | Disabled
                                      • API String ID: 2993684571-305739064
                                      • Opcode ID: 1c0c748ad9fecb0dd528124c77293d7db353f6adbd4e84571b4901e68838a0a9
                                      • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                                      • Opcode Fuzzy Hash: 1c0c748ad9fecb0dd528124c77293d7db353f6adbd4e84571b4901e68838a0a9
                                      • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                                      Function 0041BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                                      • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
                                      • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
                                      • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6
                                      Strings
                                      • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Console$AttributeText$BufferHandleInfoScreen
                                      • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                      • API String ID: 3024135584-2418719853
                                      • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                      • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                      • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                      • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                      Function 0044016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                      • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                                      • Opcode Fuzzy Hash: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                      • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                                      Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                      • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                      • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                      • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                      • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                      • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                      • String ID:
                                      • API String ID: 3525466593-0
                                      • Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                      • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                                      • Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                      • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                                      Function 00443098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free
                                      • String ID:
                                      • API String ID: 269201875-0
                                      • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                      • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                                      • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                      • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                                      Function 0044FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E3ED,?,00000000,?,00000001,?,?,00000001,0043E3ED,?), ref: 0044FF20
                                      • __alloca_probe_16.LIBCMT ref: 0044FF58
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044FFA9
                                      • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004399BF,?), ref: 0044FFBB
                                      • __freea.LIBCMT ref: 0044FFC4
                                        • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                      • String ID:
                                      • API String ID: 313313983-0
                                      • Opcode ID: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
                                      • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                                      • Opcode Fuzzy Hash: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
                                      • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                                      Function 0044E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                        • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                      • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                                      • _free.LIBCMT ref: 0044E1A0
                                      • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                      • String ID:
                                      • API String ID: 336800556-0
                                      • Opcode ID: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                      • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                                      • Opcode Fuzzy Hash: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                      • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                                      Function 00446F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetLastError.KERNEL32(0000000A,0000000B,0000000A,00445359,00440A9B,00000000,?,?,?,?,00440C7E,00000000,0000000A,000000FF,0000000A,00000000), ref: 00446F48
                                      • _free.LIBCMT ref: 00446F7D
                                      • _free.LIBCMT ref: 00446FA4
                                      • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FB1
                                      • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FBA
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorLast$_free
                                      • String ID:
                                      • API String ID: 3170660625-0
                                      • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                      • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                                      • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                      • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                                      Function 0041B37D Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                      • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                      • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                      • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041B3C8
                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
                                      • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CloseHandleOpen$FileImageName
                                      • String ID:
                                      • API String ID: 2951400881-0
                                      • Opcode ID: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                      • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                                      • Opcode Fuzzy Hash: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                      • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                                      Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 0044F7B5
                                        • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                        • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                      • _free.LIBCMT ref: 0044F7C7
                                      • _free.LIBCMT ref: 0044F7D9
                                      • _free.LIBCMT ref: 0044F7EB
                                      • _free.LIBCMT ref: 0044F7FD
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                      • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                                      • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                      • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                                      Function 004432E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00443305
                                        • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                        • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                      • _free.LIBCMT ref: 00443317
                                      • _free.LIBCMT ref: 0044332A
                                      • _free.LIBCMT ref: 0044333B
                                      • _free.LIBCMT ref: 0044334C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$ErrorFreeHeapLast
                                      • String ID:
                                      • API String ID: 776569668-0
                                      • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                      • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                                      • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                      • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                                      Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                      • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                      • IsWindowVisible.USER32(?), ref: 004167A1
                                        • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                        • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ProcessWindow$Open$TextThreadVisible
                                      • String ID: (FG
                                      • API String ID: 3142014140-2273637114
                                      • Opcode ID: 92bcab0c5e250d577a7545fc527d6642a8e7c755569237cd88e9487c31cb9e3a
                                      • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                                      • Opcode Fuzzy Hash: 92bcab0c5e250d577a7545fc527d6642a8e7c755569237cd88e9487c31cb9e3a
                                      • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                                      Function 0044D459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                      Download Yara Rule
                                      APIs
                                      • _strpbrk.LIBCMT ref: 0044D4A8
                                      • _free.LIBCMT ref: 0044D5C5
                                        • Part of subcall function 0043A854: IsProcessorFeaturePresent.KERNEL32(00000017,0043A826,00000000,0000000A,0000000A,00000000,0041AD67,00000022,?,?,0043A833,00000000,00000000,00000000,00000000,00000000), ref: 0043A856
                                        • Part of subcall function 0043A854: GetCurrentProcess.KERNEL32(C0000417,0000000A,00000000), ref: 0043A878
                                        • Part of subcall function 0043A854: TerminateProcess.KERNEL32(00000000), ref: 0043A87F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                      • String ID: *?$.
                                      • API String ID: 2812119850-3972193922
                                      • Opcode ID: 3ccd6c7c6263025d80bbf4df8e19646480fb990c35b4b1cfbff97afb24dbcef1
                                      • Instruction ID: 2d4433a3afc190a5690657b280c6536bac4d5ba0d1806d6c31be7b1549e3be36
                                      • Opcode Fuzzy Hash: 3ccd6c7c6263025d80bbf4df8e19646480fb990c35b4b1cfbff97afb24dbcef1
                                      • Instruction Fuzzy Hash: 7251B371E00109AFEF14DFA9C881AAEB7F5EF58318F24416FE854E7301DA799E018B54
                                      Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                        • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                        • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                        • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF
                                        • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                      • String ID: XCG$`AG$>G
                                      • API String ID: 2334542088-2372832151
                                      • Opcode ID: 01d87438e36237900ce3fcf4a0fcd8e5603590acb279c46314cb3d03d2aeb844
                                      • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                                      • Opcode Fuzzy Hash: 01d87438e36237900ce3fcf4a0fcd8e5603590acb279c46314cb3d03d2aeb844
                                      • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                                      Function 004426D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe,00000104), ref: 00442714
                                      • _free.LIBCMT ref: 004427DF
                                      • _free.LIBCMT ref: 004427E9
                                      Strings
                                      • C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe, xrefs: 0044270B, 00442712, 00442741, 00442779
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: _free$FileModuleName
                                      • String ID: C:\Users\user\Desktop\173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d2060a0a419.dat-decoded.exe
                                      • API String ID: 2506810119-3143222910
                                      • Opcode ID: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                      • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                                      • Opcode Fuzzy Hash: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                      • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                                      Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                        • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,75573530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                        • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                        • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                        • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                      • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                      • String ID: /sort "Visit Time" /stext "$8>G
                                      • API String ID: 368326130-2663660666
                                      • Opcode ID: da2f10cea95d2592b17b99b67cdaa5e157d5c6ca5e27cf500eeafe48e184eaae
                                      • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                                      • Opcode Fuzzy Hash: da2f10cea95d2592b17b99b67cdaa5e157d5c6ca5e27cf500eeafe48e184eaae
                                      • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                                      Function 0040A876 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                      • wsprintfW.USER32 ref: 0040A905
                                        • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: EventLocalTimewsprintf
                                      • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                      • API String ID: 1497725170-1359877963
                                      • Opcode ID: ba7ddda832803808cbfe6e4fced7d86aab764d3b23e4f9a5d1baf008580cd9ea
                                      • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                                      • Opcode Fuzzy Hash: ba7ddda832803808cbfe6e4fced7d86aab764d3b23e4f9a5d1baf008580cd9ea
                                      • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                                      Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                        • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                        • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                      • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                                      • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                                      • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CreateThread$LocalTime$wsprintf
                                      • String ID: Online Keylogger Started
                                      • API String ID: 112202259-1258561607
                                      • Opcode ID: 74bbf1dd48c5cc06e207f48c4eb53604144d0a493703acba44df512efce14c16
                                      • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                                      • Opcode Fuzzy Hash: 74bbf1dd48c5cc06e207f48c4eb53604144d0a493703acba44df512efce14c16
                                      • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                      Function 0044AA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
                                      • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                                      • __dosmaperr.LIBCMT ref: 0044AAFE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseErrorHandleLast__dosmaperr
                                      • String ID: `@
                                      • API String ID: 2583163307-951712118
                                      • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                      • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                                      • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                      • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                                      Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?), ref: 00404946
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404994
                                      • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                      Strings
                                      • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Create$EventLocalThreadTime
                                      • String ID: KeepAlive | Enabled | Timeout:
                                      • API String ID: 2532271599-1507639952
                                      • Opcode ID: 35453c4289c9b9740e7d5fc02d345a9090b78ad88d17a20c74762e0b12e92854
                                      • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                                      • Opcode Fuzzy Hash: 35453c4289c9b9740e7d5fc02d345a9090b78ad88d17a20c74762e0b12e92854
                                      • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                                      Function 00419E89 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON
                                      Download Yara Rule
                                      APIs
                                      • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExistsFilePath
                                      • String ID: TUF$alarm.wav$xIG
                                      • API String ID: 1174141254-2188790166
                                      • Opcode ID: d2369e0a6d0f450e44d70bf7e035cc7ec18e321b0156b61c76764052e4438120
                                      • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                                      • Opcode Fuzzy Hash: d2369e0a6d0f450e44d70bf7e035cc7ec18e321b0156b61c76764052e4438120
                                      • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                                      Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                      • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                      • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseEventHandleObjectSingleWait
                                      • String ID: Connection Timeout
                                      • API String ID: 2055531096-499159329
                                      • Opcode ID: 021faa9111ab8834074a9e6104490ab3bec6bd23ae7819230539afb67bbeabe2
                                      • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                                      • Opcode Fuzzy Hash: 021faa9111ab8834074a9e6104490ab3bec6bd23ae7819230539afb67bbeabe2
                                      • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                                      Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                      Download Yara Rule
                                      APIs
                                      • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                      • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                        • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                        • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                                      • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                      • String ID: bad locale name
                                      • API String ID: 3628047217-1405518554
                                      • Opcode ID: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                      • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                                      • Opcode Fuzzy Hash: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                      • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                                      Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                      Download Yara Rule
                                      APIs
                                      • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ExecuteShell
                                      • String ID: /C $cmd.exe$open
                                      • API String ID: 587946157-3896048727
                                      • Opcode ID: ee6d09c7a5be61fc2c77f0fe381f15b1933766d643093560b744fac4f5f657b7
                                      • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                      • Opcode Fuzzy Hash: ee6d09c7a5be61fc2c77f0fe381f15b1933766d643093560b744fac4f5f657b7
                                      • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                      Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                      • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                      • TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: TerminateThread$HookUnhookWindows
                                      • String ID: pth_unenc
                                      • API String ID: 3123878439-4028850238
                                      • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                      • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                                      • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                      • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                                      Function 00448D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: __alldvrm$_strrchr
                                      • String ID:
                                      • API String ID: 1036877536-0
                                      • Opcode ID: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                      • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                                      • Opcode Fuzzy Hash: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                      • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                                      Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                      • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                                      • Opcode Fuzzy Hash: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                      • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                                      Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                      • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                      • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                      • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                      • String ID:
                                      • API String ID: 3360349984-0
                                      • Opcode ID: 687cc25b70590890ee4835b3ee453ca5d573141b8347a1c076274b7774bdc746
                                      • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                      • Opcode Fuzzy Hash: 687cc25b70590890ee4835b3ee453ca5d573141b8347a1c076274b7774bdc746
                                      • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                      Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                      • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Sleep
                                      • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                      • API String ID: 3472027048-1236744412
                                      • Opcode ID: a28c998271a66f8567227a1897484aa15a4fe563e622933235ba73a641e0d975
                                      • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                                      • Opcode Fuzzy Hash: a28c998271a66f8567227a1897484aa15a4fe563e622933235ba73a641e0d975
                                      • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                                      Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                        • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                        • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D
                                      • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CloseOpenQuerySleepValue
                                      • String ID: @CG$exepath$BG
                                      • API String ID: 4119054056-3221201242
                                      • Opcode ID: fd72609be73d1f1783dbf1d279e952d5808c6a47d3307a1485aff8893a4aba73
                                      • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                                      • Opcode Fuzzy Hash: fd72609be73d1f1783dbf1d279e952d5808c6a47d3307a1485aff8893a4aba73
                                      • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                                      Function 0041A98A Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON
                                      Download Yara Rule
                                      APIs
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: SystemTimes$Sleep__aulldiv
                                      • String ID:
                                      • API String ID: 188215759-0
                                      • Opcode ID: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                      • Instruction ID: 3b66203fd79088dfadce72ddbf0b0401c54eb4bd27628439374ba0e7aa9136f0
                                      • Opcode Fuzzy Hash: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                      • Instruction Fuzzy Hash: 9D215E725083009BC304DF65D98589FB7E8EFC8654F044A2EF589D3251EA34EA49CB63
                                      Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
                                        • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                        • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729
                                      • Sleep.KERNEL32(000001F4), ref: 00409C95
                                      • Sleep.KERNEL32(00000064), ref: 00409D1F
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Window$SleepText$ForegroundLength
                                      • String ID: [ $ ]
                                      • API String ID: 3309952895-93608704
                                      • Opcode ID: 92cb9d2a2d6bf6289d44fec474a7e000b4a54ab88b054bee990bed59a71b9a03
                                      • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                                      • Opcode Fuzzy Hash: 92cb9d2a2d6bf6289d44fec474a7e000b4a54ab88b054bee990bed59a71b9a03
                                      • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                                      Function 00442CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                      • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                                      • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                      • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                                      Function 00442D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                      Download Yara Rule
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID:
                                      • API String ID:
                                      • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                      • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                                      • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                      • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                                      Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                        • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                        • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                                      • _UnwindNestedFrames.LIBCMT ref: 00438124
                                      • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                                      • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                      • String ID:
                                      • API String ID: 737400349-0
                                      • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                      • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                                      • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                      • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                                      Function 00447210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                                      • GetLastError.KERNEL32(?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                                      • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LibraryLoad$ErrorLast
                                      • String ID:
                                      • API String ID: 3177248105-0
                                      • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                      • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                                      • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                      • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                                      Function 0041B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                      • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B647
                                      • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B66C
                                      • CloseHandle.KERNEL32(00000000), ref: 0041B67A
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: File$CloseCreateHandleReadSize
                                      • String ID:
                                      • API String ID: 3919263394-0
                                      • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                      • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                                      • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                      • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                                      Function 0041850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetSystemMetrics.USER32(0000004C), ref: 00418519
                                      • GetSystemMetrics.USER32(0000004D), ref: 0041851F
                                      • GetSystemMetrics.USER32(0000004E), ref: 00418525
                                      • GetSystemMetrics.USER32(0000004F), ref: 0041852B
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: MetricsSystem
                                      • String ID:
                                      • API String ID: 4116985748-0
                                      • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                      • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                                      • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                      • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                                      Function 00441EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                      Download Yara Rule
                                      APIs
                                      • __startOneArgErrorHandling.LIBCMT ref: 00441F6D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorHandling__start
                                      • String ID: pow
                                      • API String ID: 3213639722-2276729525
                                      • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                      • Instruction ID: c296867054112a427edbdd16b3baf579c6faf9d8481746a729c2ad46b2c40409
                                      • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                      • Instruction Fuzzy Hash: 2A517B61A1620196F7117714C98137F2BD0DB50741F688D6BF085423F9DF3D8CDA9A4E
                                      Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: CountEventTick
                                      • String ID: >G
                                      • API String ID: 180926312-1296849874
                                      • Opcode ID: e63c50bd24d47bbed406300f1f46c67f1ece15c8552ccb0a6fd3430c0afe9012
                                      • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                                      • Opcode Fuzzy Hash: e63c50bd24d47bbed406300f1f46c67f1ece15c8552ccb0a6fd3430c0afe9012
                                      • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                                      Function 0044DB34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                      Download Yara Rule
                                      APIs
                                      • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Info
                                      • String ID: $fD
                                      • API String ID: 1807457897-3092946448
                                      • Opcode ID: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                      • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                                      • Opcode Fuzzy Hash: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                      • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                                      Function 00417BDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                      Download Yara Rule
                                      APIs
                                      • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417C08
                                        • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                      • SHCreateMemStream.SHLWAPI(00000000), ref: 00417C55
                                        • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                        • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CCC), ref: 004177CE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                      • String ID: image/jpeg
                                      • API String ID: 1291196975-3785015651
                                      • Opcode ID: 8f3b30371828e1907736ebf26ac10b00a12ebc6a0bae61ebf375912b50c4f4ef
                                      • Instruction ID: 3dbe320e324aa312c145f712c1d391ec03548c85c69305bb74e69b0931de3aa8
                                      • Opcode Fuzzy Hash: 8f3b30371828e1907736ebf26ac10b00a12ebc6a0bae61ebf375912b50c4f4ef
                                      • Instruction Fuzzy Hash: 13315C75508300AFC301AF65C884DAFBBF9FF8A704F000A2EF94597251DB79A905CBA6
                                      Function 004508DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B39,?,00000050,?,?,?,?,?), ref: 004509B9
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: ACP$OCP
                                      • API String ID: 0-711371036
                                      • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                      • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                                      • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                      • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                                      Function 00417CD9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                      Download Yara Rule
                                      APIs
                                      • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417CF4
                                        • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                      • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00417D19
                                        • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                        • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CCC), ref: 004177CE
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                      • String ID: image/png
                                      • API String ID: 1291196975-2966254431
                                      • Opcode ID: 3eb8dd80f54a72a5a0a9ed13ccec69a705e73992219fab643a786ff0acabb055
                                      • Instruction ID: e3b7944e5392015f30009faa46d0af48502643625c308f0969f1fef2cb3c76d4
                                      • Opcode Fuzzy Hash: 3eb8dd80f54a72a5a0a9ed13ccec69a705e73992219fab643a786ff0acabb055
                                      • Instruction Fuzzy Hash: AA21A135204211AFC300AF61CC88CAFBBBDEFCA714F10052EF90693151DB399945CBA6
                                      Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                        • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                      • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                      Strings
                                      • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime
                                      • String ID: KeepAlive | Enabled | Timeout:
                                      • API String ID: 481472006-1507639952
                                      • Opcode ID: 88f98e07624f0cdc5f5406798babcb05efc51bc28ea43e2309e29ec04d21d8db
                                      • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                                      • Opcode Fuzzy Hash: 88f98e07624f0cdc5f5406798babcb05efc51bc28ea43e2309e29ec04d21d8db
                                      • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                                      Function 004336EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMONLIBRARYCODE
                                      Download Yara Rule
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID:
                                      • String ID: LG$XG
                                      • API String ID: 0-1482930923
                                      • Opcode ID: c15126115d7b74b818ce8cc4bfc83f894c4a74ec01747284a75d25f55942686d
                                      • Instruction ID: b803d8f2fb0d60b71c32d24796bf113498d2ea24005d64aa96dbf80bf0db992b
                                      • Opcode Fuzzy Hash: c15126115d7b74b818ce8cc4bfc83f894c4a74ec01747284a75d25f55942686d
                                      • Instruction Fuzzy Hash: CE11A3B1D01654AACB20EFA998017CFB7A55F09725F14D06BED18EF281D3B9DB408B98
                                      Function 0041A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime
                                      • String ID: | $%02i:%02i:%02i:%03i
                                      • API String ID: 481472006-2430845779
                                      • Opcode ID: 9b95a0a033af4e6b3b54331b4a103e7e6270c3a9d1cca9dd8a72674f32e816fd
                                      • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                                      • Opcode Fuzzy Hash: 9b95a0a033af4e6b3b54331b4a103e7e6270c3a9d1cca9dd8a72674f32e816fd
                                      • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                                      Function 004125EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412612
                                      • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412648
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: QueryValue
                                      • String ID: TUF
                                      • API String ID: 3660427363-3431404234
                                      • Opcode ID: c4e216894b58aee55caec26845d8524ac01ef4dd0a633f9c8df4f60fb7a150f6
                                      • Instruction ID: 62a4949b47554db758ef5e9b715c6ec4cc130d120bf99ac1ec1555789b8052d8
                                      • Opcode Fuzzy Hash: c4e216894b58aee55caec26845d8524ac01ef4dd0a633f9c8df4f60fb7a150f6
                                      • Instruction Fuzzy Hash: BC01A7B6A00108BFDB049B95DD46EFF7ABDDF44240F10007AF901E2251E6749F009664
                                      Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                      Download Yara Rule
                                      APIs
                                        • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                        • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                        • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                      • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                      • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                      • String ID: Online Keylogger Stopped
                                      • API String ID: 1623830855-1496645233
                                      • Opcode ID: fe6e18c6252a0bee342ef941cd7d9d06612fb05f1df7cb5e72a2689b447559bc
                                      • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                                      • Opcode Fuzzy Hash: fe6e18c6252a0bee342ef941cd7d9d06612fb05f1df7cb5e72a2689b447559bc
                                      • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                                      Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                      Download Yara Rule
                                      APIs
                                      • waveInPrepareHeader.WINMM(00880118,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
                                      • waveInAddBuffer.WINMM(00880118,00000020,?,00000000,00401913), ref: 0040175D
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: wave$BufferHeaderPrepare
                                      • String ID: T=G
                                      • API String ID: 2315374483-379896819
                                      • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                      • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                      • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                      • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                      Function 00447790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: LocaleValid
                                      • String ID: IsValidLocaleName$j=D
                                      • API String ID: 1901932003-3128777819
                                      • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                      • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                                      • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                      • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                                      Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                      Download Yara Rule
                                      APIs
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: H_prolog
                                      • String ID: T=G$T=G
                                      • API String ID: 3519838083-3732185208
                                      • Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                      • Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
                                      • Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                      • Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D
                                      Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyState.USER32(00000011), ref: 0040AD5B
                                        • Part of subcall function 00409B10: GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                        • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                        • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                        • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                        • Part of subcall function 00409B10: GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                        • Part of subcall function 00409B10: ToUnicodeEx.USER32(0047414C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
                                        • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                        • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                      • String ID: [AltL]$[AltR]
                                      • API String ID: 2738857842-2658077756
                                      • Opcode ID: 0fd097a0a4b99d70b02a08e9004214b89ee8ccd3163f9cf7526c1a47b2b50f16
                                      • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                      • Opcode Fuzzy Hash: 0fd097a0a4b99d70b02a08e9004214b89ee8ccd3163f9cf7526c1a47b2b50f16
                                      • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                      Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                      Download Yara Rule
                                      APIs
                                      • _free.LIBCMT ref: 00448825
                                        • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                        • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ErrorFreeHeapLast_free
                                      • String ID: `@$`@
                                      • API String ID: 1353095263-20545824
                                      • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                      • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                                      • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                      • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                                      Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                      Download Yara Rule
                                      APIs
                                      • GetKeyState.USER32(00000012), ref: 0040ADB5
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: State
                                      • String ID: [CtrlL]$[CtrlR]
                                      • API String ID: 1649606143-2446555240
                                      • Opcode ID: 8f256fbae12a6d1972e20e0d193ff0540306bf2bf736503aba8af0ee0077a29a
                                      • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                      • Opcode Fuzzy Hash: 8f256fbae12a6d1972e20e0d193ff0540306bf2bf736503aba8af0ee0077a29a
                                      • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                      Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                      Download Yara Rule
                                      APIs
                                      • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
                                      • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998
                                      Strings
                                      • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteOpenValue
                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                      • API String ID: 2654517830-1051519024
                                      • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                      • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                      • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                      • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                      Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                      Download Yara Rule
                                      APIs
                                      • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                                      • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: DeleteDirectoryFileRemove
                                      • String ID: pth_unenc
                                      • API String ID: 3325800564-4028850238
                                      • Opcode ID: 2e8d6704218f96b318e7a73bad0b28a6b8edcd2455483e95ffe0dafda84626ef
                                      • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                                      • Opcode Fuzzy Hash: 2e8d6704218f96b318e7a73bad0b28a6b8edcd2455483e95ffe0dafda84626ef
                                      • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                                      Function 00411699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                      Download Yara Rule
                                      APIs
                                      • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                      • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                      Strings
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ObjectProcessSingleTerminateWait
                                      • String ID: pth_unenc
                                      • API String ID: 1872346434-4028850238
                                      • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                      • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                                      • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                      • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                                      Function 0043FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                      Download Yara Rule
                                      APIs
                                      • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                                      • GetLastError.KERNEL32 ref: 0043FB02
                                      • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                                      Memory Dump Source
                                      • Source File: 00000000.00000002.3882267667.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                      • Associated: 00000000.00000002.3882109649.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882586176.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882758673.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                      • Associated: 00000000.00000002.3882870998.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                      Joe Sandbox IDA Plugin
                                      • Snapshot File: hcaresult_0_2_400000_173347927400d8505e200f1b76c0df0392d3948b50b640983683242dde80f09986d206.jbxd
                                      Yara matches
                                      Similarity
                                      • API ID: ByteCharMultiWide$ErrorLast
                                      • String ID:
                                      • API String ID: 1717984340-0
                                      • Opcode ID: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                      • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                                      • Opcode Fuzzy Hash: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                      • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759