Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe

Overview

General Information

Sample name:173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe
Analysis ID:1572016
MD5:fd69bd4925fb7a2bb5798f2d2be42cbc
SHA1:4e2003121d6ccd82a887f0b92695779c676778c1
SHA256:0d97708b73548a54a6a9995f484e942e3d72050e7a02d71ab16ed776e6300410
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for sample
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["rem.pushswroller.eu:23101:1", "firewarzone.ydns.eu:23101:1", "sun.drillmmcsnk.eu:23101:1"], "Assigned name": "NW", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmcghghyrtssxr-7RL1P2", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aaf8:$a1: Remcos restarted by watchdog!
        • 0x6b070:$a3: %02i:%02i:%02i:%03i
        173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64e04:$str_b2: Executing file:
        • 0x65c3c:$str_b3: GetDirectListeningPort
        • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65780:$str_b7: \update.vbs
        • 0x64e2c:$str_b9: Downloaded file:
        • 0x64e18:$str_b10: Downloading file:
        • 0x64ebc:$str_b12: Failed to upload file:
        • 0x65c04:$str_b13: StartForward
        • 0x65c24:$str_b14: StopForward
        • 0x656d8:$str_b15: fso.DeleteFile "
        • 0x6566c:$str_b16: On Error Resume Next
        • 0x65708:$str_b17: fso.DeleteFolder "
        • 0x64eac:$str_b18: Uploaded file:
        • 0x64e6c:$str_b19: Unable to delete:
        • 0x656a0:$str_b20: while fso.FileExists("
        • 0x65349:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.4449750727.000000000230F000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000000.00000000.2005439532.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
              00000000.00000000.2005439532.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                00000000.00000000.2005439532.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                  00000000.00000000.2005439532.0000000000457000.00000002.00000001.01000000.00000003.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
                  • 0x146f8:$a1: Remcos restarted by watchdog!
                  • 0x14c70:$a3: %02i:%02i:%02i:%03i
                  Click to see the 9 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                    0.0.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                      0.0.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                        0.0.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                        • 0x6aaf8:$a1: Remcos restarted by watchdog!
                        • 0x6b070:$a3: %02i:%02i:%02i:%03i
                        0.0.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                        • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
                        • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                        • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                        • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                        • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                        • 0x64e04:$str_b2: Executing file:
                        • 0x65c3c:$str_b3: GetDirectListeningPort
                        • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                        • 0x65780:$str_b7: \update.vbs
                        • 0x64e2c:$str_b9: Downloaded file:
                        • 0x64e18:$str_b10: Downloading file:
                        • 0x64ebc:$str_b12: Failed to upload file:
                        • 0x65c04:$str_b13: StartForward
                        • 0x65c24:$str_b14: StopForward
                        • 0x656d8:$str_b15: fso.DeleteFile "
                        • 0x6566c:$str_b16: On Error Resume Next
                        • 0x65708:$str_b17: fso.DeleteFolder "
                        • 0x64eac:$str_b18: Uploaded file:
                        • 0x64e6c:$str_b19: Unable to delete:
                        • 0x656a0:$str_b20: while fso.FileExists("
                        • 0x65349:$str_c0: [Firefox StoredLogins not found]
                        Click to see the 7 entries

                        Sigma Signatures

                        Stealing of Sensitive Information

                        barindex
                        Sigma detected: Remcos
                        Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, ProcessId: 4276, TargetFilename: C:\ProgramData\remcos\logs.dat

                        Suricata Signatures

                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-10T01:11:54.767849+010020365941Malware Command and Control Activity Detected192.168.2.54970445.80.158.3023101TCP
                        TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                        2024-12-10T01:11:57.375261+010028033043Unknown Traffic192.168.2.549705178.237.33.5080TCP

                        Joe Sandbox Signatures

                        Click to jump to signature section

                        Show All Signature Results

                        AV Detection

                        barindex
                        Antivirus / Scanner detection for submitted sample
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeAvira: detected
                        Antivirus detection for URL or domain
                        Source: rem.pushswroller.euAvira URL Cloud: Label: malware
                        Source: firewarzone.ydns.euAvira URL Cloud: Label: malware
                        Source: sun.drillmmcsnk.euAvira URL Cloud: Label: malware
                        Found malware configuration
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeMalware Configuration Extractor: Remcos {"Host:Port:Password": ["rem.pushswroller.eu:23101:1", "firewarzone.ydns.eu:23101:1", "sun.drillmmcsnk.eu:23101:1"], "Assigned name": "NW", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmcghghyrtssxr-7RL1P2", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                        Multi AV Scanner detection for domain / URL
                        Source: rem.pushswroller.euVirustotal: Detection: 11%Perma Link
                        Source: rem.pushswroller.euVirustotal: Detection: 11%Perma Link
                        Multi AV Scanner detection for submitted file
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeReversingLabs: Detection: 68%
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeVirustotal: Detection: 81%Perma Link
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4449750727.000000000230F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2005439532.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4449494395.000000000056E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe PID: 4276, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        AI detected suspicious sample
                        Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                        Machine Learning detection for sample
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeJoe Sandbox ML: detected
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0043293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_0043293A
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_f65b5dc4-2

                        Exploits

                        barindex
                        Yara detected UAC Bypass using CMSTP
                        Source: Yara matchFile source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2005439532.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe PID: 4276, type: MEMORYSTR

                        Privilege Escalation

                        barindex
                        Contains functionality to bypass UAC (CMSTPLUA)
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00406764 _wcslen,CoGetObject,0_2_00406764
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B42F
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0044D5E9 FindFirstFileExA,0_2_0044D5E9
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C69
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06

                        Networking

                        barindex
                        Suricata IDS alerts for network traffic
                        Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49704 -> 45.80.158.30:23101
                        C2 URLs / IPs found in malware configuration
                        Source: Malware configuration extractorURLs: rem.pushswroller.eu
                        Source: Malware configuration extractorURLs: firewarzone.ydns.eu
                        Source: Malware configuration extractorURLs: sun.drillmmcsnk.eu
                        Source: global trafficTCP traffic: 192.168.2.5:49704 -> 45.80.158.30:23101
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                        Source: Joe Sandbox ViewASN Name: UK2NET-ASGB UK2NET-ASGB
                        Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49705 -> 178.237.33.50:80
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_004260F7 recv,0_2_004260F7
                        Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                        Source: global trafficDNS traffic detected: DNS query: rem.pushswroller.eu
                        Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000003.2052196553.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000003.2052069787.00000000005D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000003.2052196553.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000003.2052069787.00000000005D2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/D
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000003.2052069787.00000000005B2000.00000004.00000020.00020000.00000000.sdmp, 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000002.4449494395.000000000056E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000003.2052069787.00000000005B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp.
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000003.2052069787.00000000005B2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpL
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000002.4449494395.000000000056E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32

                        Key, Mouse, Clipboard, Microphone and Screen Capturing

                        barindex
                        Contains functionality to register a low level keyboard hook
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000000_2_004099E4
                        Installs a global keyboard hook
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_00409B10
                        Source: Yara matchFile source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000000.2005439532.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe PID: 4276, type: MEMORYSTR

                        E-Banking Fraud

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4449750727.000000000230F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2005439532.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4449494395.000000000056E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe PID: 4276, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                        Spam, unwanted Advertisements and Ransom Demands

                        barindex
                        Contains functionalty to change the wallpaper
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0041BB77 SystemParametersInfoW,0_2_0041BB77

                        System Summary

                        barindex
                        Malicious sample detected (through community Yara rule)
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.0.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0.0.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 0.0.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 0.2.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 0.2.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                        Source: 0.2.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                        Source: 00000000.00000000.2005439532.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: Process Memory Space: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe PID: 4276, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeProcess Stats: CPU usage > 49%
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0041ACC1 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041ACC1
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0041ACED OpenProcess,NtResumeProcess,CloseHandle,0_2_0041ACED
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004158B9
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0041D0710_2_0041D071
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_004520D20_2_004520D2
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0043D0980_2_0043D098
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_004371500_2_00437150
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_004361AA0_2_004361AA
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_004262540_2_00426254
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_004313770_2_00431377
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0043651C0_2_0043651C
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0041E5DF0_2_0041E5DF
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0044C7390_2_0044C739
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_004367C60_2_004367C6
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_004267CB0_2_004267CB
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0043C9DD0_2_0043C9DD
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00432A490_2_00432A49
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00436A8D0_2_00436A8D
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0043CC0C0_2_0043CC0C
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00436D480_2_00436D48
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00434D220_2_00434D22
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00426E730_2_00426E73
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00440E200_2_00440E20
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0043CE3B0_2_0043CE3B
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00412F450_2_00412F45
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00452F000_2_00452F00
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00426FAD0_2_00426FAD
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: String function: 00401F66 appears 50 times
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: String function: 004020E7 appears 40 times
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: String function: 004338A5 appears 42 times
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: String function: 00433FB0 appears 55 times
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.0.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0.0.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 0.0.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 0.2.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 0.2.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                        Source: 0.2.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                        Source: 00000000.00000000.2005439532.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: Process Memory Space: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe PID: 4276, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                        Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/2@2/2
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00416AB7
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040E219
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0041A63F FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041A63F
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BC4
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].jsonJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\Rmcghghyrtssxr-7RL1P2
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: Software\0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: Exe0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: Exe0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: 0DG0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: Inj0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: Inj0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: BG0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: BG0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: BG0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: @CG0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: BG0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: exepath0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: @CG0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: exepath0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: BG0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: licence0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: `=G0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: dCG0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: Administrator0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: User0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: del0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: del0_2_0040D767
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCommand line argument: del0_2_0040D767
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeReversingLabs: Detection: 68%
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeVirustotal: Detection: 81%
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_004567E0 push eax; ret 0_2_004567FE
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00455EAF push ecx; ret 0_2_00455EC2
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00433FF6 push ecx; ret 0_2_00434009
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00406128 ShellExecuteW,URLDownloadToFileW,0_2_00406128
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00419BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BC4
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                        Malware Analysis System Evasion

                        barindex
                        Delayed program exit found
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0040E54F Sleep,ExitProcess,0_2_0040E54F
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_004198C2
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeWindow / User API: threadDelayed 4038Jump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeWindow / User API: threadDelayed 5481Jump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeWindow / User API: foregroundWindowGot 1770Jump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe TID: 1100Thread sleep count: 236 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe TID: 1100Thread sleep time: -118000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe TID: 4280Thread sleep count: 4038 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe TID: 4280Thread sleep time: -12114000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe TID: 4280Thread sleep count: 5481 > 30Jump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe TID: 4280Thread sleep time: -16443000s >= -30000sJump to behavior
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0041B42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B42F
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0044D5E9 FindFirstFileExA,0_2_0044D5E9
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00418C69 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C69
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000002.4449555695.00000000005E9000.00000004.00000020.00020000.00000000.sdmp, 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000003.2052196553.00000000005E9000.00000004.00000020.00020000.00000000.sdmp, 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000002.4449494395.000000000056E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000002.4449555695.00000000005E9000.00000004.00000020.00020000.00000000.sdmp, 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000003.2052196553.00000000005E9000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWga>r
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_0-47997
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A65D
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0041BCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCE3
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00442554 mov eax, dword ptr fs:[00000030h]0_2_00442554
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0044E92E GetProcessHeap,0_2_0044E92E
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00434168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00434168
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0043A65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A65D
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00433B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00433B44
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00433CD7 SetUnhandledExceptionFilter,0_2_00433CD7
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00410F36
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00418754 mouse_event,0_2_00418754
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000002.4449555695.00000000005DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerGl
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000002.4449555695.00000000005DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager(
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000002.4449555695.00000000005DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager&
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000002.4449555695.00000000005DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000002.4449555695.00000000005DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerO
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000002.4449555695.00000000005DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000002.4449555695.00000000005DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerbutp
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000002.4449555695.00000000005DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerV
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000002.4449555695.00000000005DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerAu
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000002.4449555695.00000000005DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager3
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000002.4449494395.000000000056E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manageron File~
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000002.4449555695.00000000005DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000002.4449555695.00000000005DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerWu+p
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000002.4449555695.00000000005DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managernet/D
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000002.4449555695.00000000005DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager}
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000002.4449494395.000000000056E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000002.4449555695.00000000005DE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager~up
                        Source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000002.4449494395.000000000056E000.00000004.00000020.00020000.00000000.sdmp, logs.dat.0.drBinary or memory string: [Program Manager]
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00433E0A cpuid 0_2_00433E0A
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: GetLocaleInfoA,0_2_0040E679
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_004470AE
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004510BA
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004511E3
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004512EA
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004513B7
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: GetLocaleInfoW,0_2_00447597
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00450A7F
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450CF7
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450D42
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450DDD
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00450E6A
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_00404915 GetLocalTime,CreateEventA,CreateThread,0_2_00404915
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0041A7A2 GetComputerNameExW,GetUserNameW,0_2_0041A7A2
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: 0_2_0044800F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0044800F
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                        Stealing of Sensitive Information

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4449750727.000000000230F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2005439532.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4449494395.000000000056E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe PID: 4276, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Contains functionality to steal Chrome passwords or cookies
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040B21B
                        Contains functionality to steal Firefox passwords or cookies
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040B335
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: \key3.db0_2_0040B335

                        Remote Access Functionality

                        barindex
                        Yara detected Remcos RAT
                        Source: Yara matchFile source: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, type: SAMPLE
                        Source: Yara matchFile source: 0.0.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 0.2.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                        Source: Yara matchFile source: 00000000.00000002.4449750727.000000000230F000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000000.2005439532.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                        Source: Yara matchFile source: 00000000.00000002.4449494395.000000000056E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                        Source: Yara matchFile source: Process Memory Space: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe PID: 4276, type: MEMORYSTR
                        Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                        Source: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exeCode function: cmd.exe0_2_00405042

                        Mitre Att&ck Matrix

                        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                        Native API                        		1
                        DLL Side-Loading                        		1
                        DLL Side-Loading                        		1
                        Deobfuscate/Decode Files or Information                        		1
                        OS Credential Dumping                        		2
                        System Time Discovery                        		Remote Services11
                        Archive Collected Data                        		12
                        Ingress Tool Transfer                        		Exfiltration Over Other Network Medium1
                        System Shutdown/Reboot
                        CredentialsDomainsDefault Accounts12
                        Command and Scripting Interpreter                        		1
                        Windows Service                        		1
                        Bypass User Account Control                        		2
                        Obfuscated Files or Information                        		211
                        Input Capture                        		1
                        Account Discovery                        		Remote Desktop Protocol211
                        Input Capture                        		2
                        Encrypted Channel                        		Exfiltration Over Bluetooth1
                        Defacement
                        Email AddressesDNS ServerDomain Accounts2
                        Service Execution                        		Logon Script (Windows)1
                        Access Token Manipulation                        		1
                        DLL Side-Loading                        		2
                        Credentials In Files                        		1
                        System Service Discovery                        		SMB/Windows Admin Shares3
                        Clipboard Data                        		1
                        Non-Standard Port                        		Automated ExfiltrationData Encrypted for Impact
                        Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                        Windows Service                        		1
                        Bypass User Account Control                        		NTDS2
                        File and Directory Discovery                        		Distributed Component Object ModelInput Capture2
                        Non-Application Layer Protocol                        		Traffic DuplicationData Destruction
                        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                        Process Injection                        		1
                        Masquerading                        		LSA Secrets23
                        System Information Discovery                        		SSHKeylogging12
                        Application Layer Protocol                        		Scheduled TransferData Encrypted for Impact
                        Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                        Virtualization/Sandbox Evasion                        		Cached Domain Credentials21
                        Security Software Discovery                        		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                        DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                        Access Token Manipulation                        		DCSync1
                        Virtualization/Sandbox Evasion                        		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                        Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                        Process Injection                        		Proc Filesystem2
                        Process Discovery                        		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                        Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                        Application Window Discovery                        		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                        IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                        System Owner/User Discovery                        		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                        Behavior Graph

                        Hide Legend

                        Legend:

                        • Process
                        • Signature
                        • Created File
                        • DNS/IP Info
                        • Is Dropped
                        • Is Windows Process
                        • Number of created Registry Values
                        • Number of created Files
                        • Visual Basic
                        • Delphi
                        • Java
                        • .Net C# or VB.NET
                        • C, C++ or other language
                        • Is malicious
                        • Internet

                        Screenshots

                        Thumbnails

                        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                        windows-stand

                        Antivirus, Machine Learning and Genetic Malware Detection

                        Initial Sample

                        SourceDetectionScannerLabelLink
                        173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe68%ReversingLabsWin32.Backdoor.Remcos
                        173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe82%VirustotalBrowse
                        173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                        173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe100%Joe Sandbox ML

                        Dropped Files

                        No Antivirus matches

                        Unpacked PE Files

                        No Antivirus matches

                        Domains

                        SourceDetectionScannerLabelLink
                        rem.pushswroller.eu11%VirustotalBrowse

                        URLs

                        SourceDetectionScannerLabelLink
                        rem.pushswroller.eu100%Avira URL Cloudmalware
                        firewarzone.ydns.eu100%Avira URL Cloudmalware
                        sun.drillmmcsnk.eu100%Avira URL Cloudmalware
                        firewarzone.ydns.eu2%VirustotalBrowse
                        rem.pushswroller.eu11%VirustotalBrowse

                        Domains and IPs

                        Contacted Domains

                        NameIPActiveMaliciousAntivirus DetectionReputation
                        rem.pushswroller.eu
                        		45.80.158.30
                        		truetrueunknown
                        geoplugin.net
                        		178.237.33.50
                        		truefalse
                          		high

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://geoplugin.net/json.gpfalse
                            		high
                            firewarzone.ydns.eutrue
                            • 2%, Virustotal, Browse
                            • Avira URL Cloud: malware
                            		unknown
                            sun.drillmmcsnk.eutrue
                            • Avira URL Cloud: malware
                            		unknown
                            rem.pushswroller.eutrue
                            • 11%, Virustotal, Browse
                            • Avira URL Cloud: malware
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://geoplugin.net/D173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000003.2052196553.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000003.2052069787.00000000005D2000.00000004.00000020.00020000.00000000.sdmpfalse
                              		high
                              http://geoplugin.net/173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000003.2052196553.00000000005DC000.00000004.00000020.00020000.00000000.sdmp, 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000003.2052069787.00000000005D2000.00000004.00000020.00020000.00000000.sdmpfalse
                                		high
                                http://geoplugin.net/json.gp/C173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exefalse
                                  		high
                                  http://geoplugin.net/json.gpL173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000003.2052069787.00000000005B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://geoplugin.net/json.gpSystem32173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000002.4449494395.000000000056E000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://geoplugin.net/json.gp.173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, 00000000.00000003.2052069787.00000000005B2000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high

                                        World Map of Contacted IPs

                                        • No. of IPs < 25%
                                        • 25% < No. of IPs < 50%
                                        • 50% < No. of IPs < 75%
                                        • 75% < No. of IPs

                                        Public IPs

                                        IPDomainCountryFlagASNASN NameMalicious
                                        45.80.158.30
                                        		rem.pushswroller.euNetherlands
                                        		13213UK2NET-ASGBtrue
                                        178.237.33.50
                                        		geoplugin.netNetherlands
                                        		8455ATOM86-ASATOM86NLfalse

                                        General Information

                                        Joe Sandbox version:41.0.0 Charoite
                                        Analysis ID:1572016
                                        Start date and time:2024-12-10 01:11:05 +01:00
                                        Joe Sandbox product:CloudBasic
                                        Overall analysis duration:0h 6m 12s
                                        Hypervisor based Inspection enabled:false
                                        Report type:full
                                        Cookbook file name:default.jbs
                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                        Number of analysed new started processes analysed:4
                                        Number of new started drivers analysed:0
                                        Number of existing processes analysed:0
                                        Number of existing drivers analysed:0
                                        Number of injected processes analysed:0
                                        Technologies:
                                        • HCA enabled
                                        • EGA enabled
                                        • AMSI enabled
                                        Analysis Mode:default
                                        Analysis stop reason:Timeout
                                        Sample name:173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe
                                        Detection:MAL
                                        Classification:mal100.rans.troj.spyw.expl.evad.winEXE@1/2@2/2
                                        EGA Information:
                                        • Successful, ratio: 100%
                                        HCA Information:
                                        • Successful, ratio: 100%
                                        • Number of executed functions: 37
                                        • Number of non-executed functions: 205
                                        Cookbook Comments:
                                        • Found application associated with file extension: .exe
                                        • Override analysis time to 240s for sample files taking high CPU consumption

                                        Warnings

                                        • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                        • Excluded IPs from analysis (whitelisted): 4.175.87.197, 13.107.246.63
                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                        • Report size getting too big, too many NtQueryValueKey calls found.

                                        Simulations

                                        Behavior and APIs

                                        TimeTypeDescription
                                        19:12:23API Interceptor7658602x Sleep call for process: 173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe modified

                                        Joe Sandbox View / Context

                                        IPs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        45.80.158.30173261064444feee4c05378d5cb0bdc1a536ff9f623e28d93246c641e622bd865a85d1a223699.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • sws.swpushroller.eu/swsk/P4.php
                                        Doc261124.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • sws.swpushroller.eu/swsk/P4.php
                                        178.237.33.501733782507080baec6756496aa00a9de94bd4b6146711872f8ab63e40379ca627825be54c2492.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp
                                        4wECQoBvYC.exeGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp
                                        Aktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp
                                        Ref#60031796.exeGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp
                                        PEbZthAqV9.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                        • geoplugin.net/json.gp
                                        IB9876789000.bat.exeGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp
                                        1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp
                                        17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp
                                        scan_241205-801_draft_PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                        • geoplugin.net/json.gp
                                        NewOrder12052024.jsGet hashmaliciousRemcosBrowse
                                        • geoplugin.net/json.gp

                                        Domains

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        rem.pushswroller.euAktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                        • 45.80.158.30
                                        geoplugin.net1733782507080baec6756496aa00a9de94bd4b6146711872f8ab63e40379ca627825be54c2492.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        4wECQoBvYC.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        Aktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        Ref#60031796.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        PEbZthAqV9.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                        • 178.237.33.50
                                        IB9876789000.bat.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        scan_241205-801_draft_PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                        • 178.237.33.50
                                        NewOrder12052024.jsGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50

                                        ASNs

                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                        ATOM86-ASATOM86NL1733782507080baec6756496aa00a9de94bd4b6146711872f8ab63e40379ca627825be54c2492.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        4wECQoBvYC.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        Aktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        Ref#60031796.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        PEbZthAqV9.exeGet hashmaliciousRemcos, PureLog StealerBrowse
                                        • 178.237.33.50
                                        IB9876789000.bat.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        1733479274764e7b4f05da07e19f78d3cf31f2aafa2f5d7a78af2fd18749e25dbbc1473b66785.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        17334752451c3a43189360a7e5b86f13b5ea7a6044304256a8f4c49ad5d5bd4831e72ee12e792.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        scan_241205-801_draft_PO.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                        • 178.237.33.50
                                        NewOrder12052024.jsGet hashmaliciousRemcosBrowse
                                        • 178.237.33.50
                                        UK2NET-ASGBAktarma,pdf.vbsGet hashmaliciousRemcosBrowse
                                        • 45.80.158.30
                                        main_m68k.elfGet hashmaliciousMiraiBrowse
                                        • 77.92.90.50
                                        la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                        • 88.202.185.180
                                        la.bot.m68k.elfGet hashmaliciousUnknownBrowse
                                        • 46.28.54.10
                                        173261064444feee4c05378d5cb0bdc1a536ff9f623e28d93246c641e622bd865a85d1a223699.dat-decoded.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 45.80.158.30
                                        Doc261124.vbsGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                        • 45.80.158.30
                                        loligang.x86.elfGet hashmaliciousMiraiBrowse
                                        • 80.209.188.4
                                        ajbKFgQ0Fl.exeGet hashmaliciousUnknownBrowse
                                        • 45.80.158.23
                                        8UUxoKYpTx.elfGet hashmaliciousMiraiBrowse
                                        • 173.244.199.148
                                        la.bot.mips.elfGet hashmaliciousUnknownBrowse
                                        • 83.170.86.99

                                        JA3 Fingerprints

                                        No context

                                        Dropped Files

                                        No context

                                        Created / dropped Files

                                        C:\ProgramData\remcos\logs.dat

                                        Download File
                                        Process:C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe
                                        File Type:data
                                        Category:dropped
                                        Size (bytes):144
                                        Entropy (8bit):3.3544524354439966
                                        Encrypted:false
                                        SSDEEP:3:rhlKlyKvlUNpcl5JWRal2Jl+7R0DAlBG45klovDl6v:6lZvZ5YcIeeDAlOWAv
                                        MD5:9513681C1FB25ED375EC6634CE606E2A
                                        SHA1:7F574D1C688FE5C22966155A55FDD8D480789030
                                        SHA-256:3138EC700F1B1E0FB15714BED2902BD8DA1DE7648BC39070D5A2850AC140E29A
                                        SHA-512:C1902BB082387279BDF35A28C91CBB2CAD7AA2A1FA398CBCFD05E2691856E93C72EEEE8020DAE109B84F58BFBA667360A7314EFB5B0A6F2C43839BA2CA9F485C
                                        Malicious:true
                                        Yara Hits:
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                        Reputation:low
                                        Preview:....[.2.0.2.4./.1.2./.0.9. .1.9.:.1.1.:.5.1. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                        C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                        Download File
                                        Process:C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe
                                        File Type:JSON data
                                        Category:dropped
                                        Size (bytes):963
                                        Entropy (8bit):5.0143349734363944
                                        Encrypted:false
                                        SSDEEP:12:tkluJnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzkw+:qluNdRNuKyGX85jvXhNlT3/7CcVKWro
                                        MD5:517E0E0BC7565FB1CDCECFB0E4421349
                                        SHA1:38CB767DA49883DE4FA050457892853B6FCFE47B
                                        SHA-256:31DB20C8590601801F6F99E3810B99E5C4A814366400AF03D4980A4DE9408793
                                        SHA-512:39253A4F06ADE6FDF9629A64614FC5356C4F6453EA8C206D68957A897A748B5CED11F0FC12C5C9CBB93FE56335551E04EE6FE55B65405B3206366C10FB91930F
                                        Malicious:false
                                        Reputation:low
                                        Preview:{. "geoplugin_request":"8.46.123.228",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7503",. "geoplugin_longitude":"-74.0014",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                        Static File Info

                                        General

                                        File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                        Entropy (8bit):6.586544250732758
                                        TrID:
                                        • Win32 Executable (generic) a (10002005/4) 99.96%
                                        • Generic Win/DOS Executable (2004/3) 0.02%
                                        • DOS Executable Generic (2002/1) 0.02%
                                        • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                        File name:173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe
                                        File size:493'056 bytes
                                        MD5:fd69bd4925fb7a2bb5798f2d2be42cbc
                                        SHA1:4e2003121d6ccd82a887f0b92695779c676778c1
                                        SHA256:0d97708b73548a54a6a9995f484e942e3d72050e7a02d71ab16ed776e6300410
                                        SHA512:6dbd5a357ca9e639c01cea70d6f90527896cdda0f1300d9f02b1a27f72655d879783fc64b7a4b0c40fb3824156f530429be14a59624c30a591c2ca83aa0a2bd4
                                        SSDEEP:12288:LuD09AUkNIGBYYv4eK13x13nZHSRVMf139F5wIB7+IwtHwBtVxbesvZDSr+DY:O09AfNIEYsunZvZ19ZYs
                                        TLSH:C6A4BF01B6D2C072D57625300D26E775DEBDBD212835897BB3DA1D57FE30180E63AAB2
                                        File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H....(..H....*..H....+..H...0]..H..&....H... ...H... ...H... ...H...0J..H...H...I...!...H...!&..H...!...H..Rich.H.

                                        File Icon

                                        Icon Hash:95694d05214c1b33

                                        Static PE Info

                                        General

                                        Entrypoint:0x433b3a
                                        Entrypoint Section:.text
                                        Digitally signed:false
                                        Imagebase:0x400000
                                        Subsystem:windows gui
                                        Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                        DLL Characteristics:TERMINAL_SERVER_AWARE
                                        Time Stamp:0x6724916B [Fri Nov 1 08:29:31 2024 UTC]
                                        TLS Callbacks:
                                        CLR (.Net) Version:
                                        OS Version Major:5
                                        OS Version Minor:1
                                        File Version Major:5
                                        File Version Minor:1
                                        Subsystem Version Major:5
                                        Subsystem Version Minor:1
                                        Import Hash:e77512f955eaf60ccff45e02d69234de

                                        Entrypoint Preview

                                        Instruction
                                        call 00007F86B484EF43h
                                        jmp 00007F86B484E89Fh
                                        push ebp
                                        mov ebp, esp
                                        sub esp, 00000324h
                                        push ebx
                                        push 00000017h
                                        call 00007F86B4870D79h
                                        test eax, eax
                                        je 00007F86B484EA27h
                                        mov ecx, dword ptr [ebp+08h]
                                        int 29h
                                        push 00000003h
                                        call 00007F86B484EBE4h
                                        mov dword ptr [esp], 000002CCh
                                        lea eax, dword ptr [ebp-00000324h]
                                        push 00000000h
                                        push eax
                                        call 00007F86B4850EFBh
                                        add esp, 0Ch
                                        mov dword ptr [ebp-00000274h], eax
                                        mov dword ptr [ebp-00000278h], ecx
                                        mov dword ptr [ebp-0000027Ch], edx
                                        mov dword ptr [ebp-00000280h], ebx
                                        mov dword ptr [ebp-00000284h], esi
                                        mov dword ptr [ebp-00000288h], edi
                                        mov word ptr [ebp-0000025Ch], ss
                                        mov word ptr [ebp-00000268h], cs
                                        mov word ptr [ebp-0000028Ch], ds
                                        mov word ptr [ebp-00000290h], es
                                        mov word ptr [ebp-00000294h], fs
                                        mov word ptr [ebp-00000298h], gs
                                        pushfd
                                        pop dword ptr [ebp-00000264h]
                                        mov eax, dword ptr [ebp+04h]
                                        mov dword ptr [ebp-0000026Ch], eax
                                        lea eax, dword ptr [ebp+04h]
                                        mov dword ptr [ebp-00000260h], eax
                                        mov dword ptr [ebp-00000324h], 00010001h
                                        mov eax, dword ptr [eax-04h]
                                        push 00000050h
                                        mov dword ptr [ebp-00000270h], eax
                                        lea eax, dword ptr [ebp-58h]
                                        push 00000000h
                                        push eax
                                        call 00007F86B4850E71h

                                        Rich Headers

                                        Programming Language:
                                        • [C++] VS2008 SP1 build 30729
                                        • [IMP] VS2008 SP1 build 30729

                                        Data Directories

                                        NameVirtual AddressVirtual Size Is in Section
                                        IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IMPORT0x6e0200x104.rdata
                                        IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x4b24.rsrc
                                        IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                        IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                        IMAGE_DIRECTORY_ENTRY_BASERELOC0x7b0000x3b80.reloc
                                        IMAGE_DIRECTORY_ENTRY_DEBUG0x6c5100x38.rdata
                                        IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_TLS0x6c5e80x18.rdata
                                        IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6c5480x40.rdata
                                        IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_IAT0x570000x4f4.rdata
                                        IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                        IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                        IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                        Sections

                                        NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                        .text0x10000x55f1d0x5600030cda225e02a0d4dab478a6c7c094860False0.5738610555959303data6.62127843313247IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                        .rdata0x570000x18b000x18c009800e1a5325bb58aa054e318c8bb055aFalse0.49812578914141414OpenPGP Secret Key Version 65.758930104385571IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .data0x700000x5d6c0xe0006414e748130e7e668ba2ba172d63448False0.22684151785714285data3.093339598098017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                        .rsrc0x760000x4b240x4c006962b356c11f686af2fa45e8c9f32889False0.2818153782894737data3.9893554329583503IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                        .reloc0x7b0000x3b800x3c003a880743591ae3410d0dc26d7322ddd0False0.7569661458333333data6.695050823503309IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                        Resources

                                        NameRVASizeTypeLanguageCountryZLIB Complexity
                                        RT_ICON0x7618c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                        RT_ICON0x765f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                        RT_ICON0x76f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                        RT_ICON0x780240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                        RT_RCDATA0x7a5cc0x515data1.008455034588778
                                        RT_GROUP_ICON0x7aae40x3edataEnglishUnited States0.8064516129032258

                                        Imports

                                        DLLImport
                                        KERNEL32.dllExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, LoadLibraryA, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, SetConsoleOutputCP, FormatMessageA, FindFirstFileA, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, HeapReAlloc, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetACP, GetModuleHandleExW, MoveFileExW, LoadLibraryExW, RaiseException, RtlUnwind, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, MultiByteToWideChar, DecodePointer, EncodePointer, TlsFree, TlsSetValue, GetFileSize, TerminateThread, GetLastError, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, CreateDirectoryW, GetLogicalDriveStringsA, DeleteFileW, FindNextFileA, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, GetProcAddress, CreateMutexA, GetCurrentProcess, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, FindNextVolumeW, TlsGetValue, TlsAlloc, SwitchToThread, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, InitializeCriticalSectionAndSpinCount, SetEndOfFile
                                        USER32.dllDefWindowProcA, TranslateMessage, DispatchMessageA, GetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CreateWindowExA, SendInput, EnumDisplaySettingsW, mouse_event, MapVirtualKeyA, TrackPopupMenu, CreatePopupMenu, AppendMenuA, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetIconInfo, GetSystemMetrics, CloseWindow, DrawIcon
                                        GDI32.dllBitBlt, CreateCompatibleBitmap, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteDC, DeleteObject, CreateDCA, GetObjectA, SelectObject
                                        ADVAPI32.dllLookupPrivilegeValueA, CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, RegDeleteKeyA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW
                                        SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                        ole32.dllCoInitializeEx, CoGetObject, CoUninitialize
                                        SHLWAPI.dllStrToIntA, PathFileExistsW, PathFileExistsA
                                        WINMM.dllmciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInStart, waveInUnprepareHeader, waveInOpen, waveInAddBuffer, waveInPrepareHeader, PlaySoundW
                                        WS2_32.dllsend, WSAStartup, socket, connect, WSAGetLastError, recv, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, gethostbyname
                                        urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                                        gdiplus.dllGdipAlloc, GdiplusStartup, GdipGetImageEncoders, GdipLoadImageFromStream, GdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipCloneImage
                                        WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                                        Possible Origin

                                        Language of compilation systemCountry where language is spokenMap
                                        EnglishUnited States

                                        Network Behavior

                                        Suricata IDS Alerts

                                        TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                        2024-12-10T01:11:54.767849+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.54970445.80.158.3023101TCP
                                        2024-12-10T01:11:57.375261+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549705178.237.33.5080TCP

                                        Network Port Distribution

                                        TCP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Dec 10, 2024 01:11:53.319761038 CET4970423101192.168.2.545.80.158.30
                                        Dec 10, 2024 01:11:53.439079046 CET231014970445.80.158.30192.168.2.5
                                        Dec 10, 2024 01:11:53.439157009 CET4970423101192.168.2.545.80.158.30
                                        Dec 10, 2024 01:11:53.447253942 CET4970423101192.168.2.545.80.158.30
                                        Dec 10, 2024 01:11:53.566560030 CET231014970445.80.158.30192.168.2.5
                                        Dec 10, 2024 01:11:54.726444006 CET231014970445.80.158.30192.168.2.5
                                        Dec 10, 2024 01:11:54.767848969 CET4970423101192.168.2.545.80.158.30
                                        Dec 10, 2024 01:11:54.960799932 CET231014970445.80.158.30192.168.2.5
                                        Dec 10, 2024 01:11:54.969317913 CET4970423101192.168.2.545.80.158.30
                                        Dec 10, 2024 01:11:55.088606119 CET231014970445.80.158.30192.168.2.5
                                        Dec 10, 2024 01:11:55.088721991 CET4970423101192.168.2.545.80.158.30
                                        Dec 10, 2024 01:11:55.207998991 CET231014970445.80.158.30192.168.2.5
                                        Dec 10, 2024 01:11:55.532814980 CET231014970445.80.158.30192.168.2.5
                                        Dec 10, 2024 01:11:55.534548044 CET4970423101192.168.2.545.80.158.30
                                        Dec 10, 2024 01:11:55.653783083 CET231014970445.80.158.30192.168.2.5
                                        Dec 10, 2024 01:11:55.734339952 CET231014970445.80.158.30192.168.2.5
                                        Dec 10, 2024 01:11:55.783529997 CET4970423101192.168.2.545.80.158.30
                                        Dec 10, 2024 01:11:56.013909101 CET4970580192.168.2.5178.237.33.50
                                        Dec 10, 2024 01:11:56.133392096 CET8049705178.237.33.50192.168.2.5
                                        Dec 10, 2024 01:11:56.133516073 CET4970580192.168.2.5178.237.33.50
                                        Dec 10, 2024 01:11:56.133752108 CET4970580192.168.2.5178.237.33.50
                                        Dec 10, 2024 01:11:56.252945900 CET8049705178.237.33.50192.168.2.5
                                        Dec 10, 2024 01:11:57.375067949 CET8049705178.237.33.50192.168.2.5
                                        Dec 10, 2024 01:11:57.375261068 CET4970580192.168.2.5178.237.33.50
                                        Dec 10, 2024 01:11:57.421956062 CET4970423101192.168.2.545.80.158.30
                                        Dec 10, 2024 01:11:57.541389942 CET231014970445.80.158.30192.168.2.5
                                        Dec 10, 2024 01:11:58.374258041 CET8049705178.237.33.50192.168.2.5
                                        Dec 10, 2024 01:11:58.374392986 CET4970580192.168.2.5178.237.33.50
                                        Dec 10, 2024 01:12:04.120790958 CET231014970445.80.158.30192.168.2.5
                                        Dec 10, 2024 01:12:04.122361898 CET4970423101192.168.2.545.80.158.30
                                        Dec 10, 2024 01:12:04.241806030 CET231014970445.80.158.30192.168.2.5
                                        Dec 10, 2024 01:12:34.177609921 CET231014970445.80.158.30192.168.2.5
                                        Dec 10, 2024 01:12:34.179605961 CET4970423101192.168.2.545.80.158.30
                                        Dec 10, 2024 01:12:34.298938990 CET231014970445.80.158.30192.168.2.5
                                        Dec 10, 2024 01:13:04.539633989 CET231014970445.80.158.30192.168.2.5
                                        Dec 10, 2024 01:13:04.572047949 CET4970423101192.168.2.545.80.158.30
                                        Dec 10, 2024 01:13:04.691458941 CET231014970445.80.158.30192.168.2.5
                                        Dec 10, 2024 01:13:34.278652906 CET231014970445.80.158.30192.168.2.5
                                        Dec 10, 2024 01:13:34.286706924 CET4970423101192.168.2.545.80.158.30
                                        Dec 10, 2024 01:13:34.406003952 CET231014970445.80.158.30192.168.2.5
                                        Dec 10, 2024 01:13:45.783840895 CET4970580192.168.2.5178.237.33.50
                                        Dec 10, 2024 01:13:46.208102942 CET4970580192.168.2.5178.237.33.50
                                        Dec 10, 2024 01:13:46.977885962 CET4970580192.168.2.5178.237.33.50
                                        Dec 10, 2024 01:13:48.360245943 CET4970580192.168.2.5178.237.33.50
                                        Dec 10, 2024 01:13:51.096314907 CET4970580192.168.2.5178.237.33.50
                                        Dec 10, 2024 01:13:56.408708096 CET4970580192.168.2.5178.237.33.50
                                        Dec 10, 2024 01:14:04.650557995 CET231014970445.80.158.30192.168.2.5
                                        Dec 10, 2024 01:14:04.652554989 CET4970423101192.168.2.545.80.158.30
                                        Dec 10, 2024 01:14:04.771893024 CET231014970445.80.158.30192.168.2.5
                                        Dec 10, 2024 01:14:07.096239090 CET4970580192.168.2.5178.237.33.50
                                        Dec 10, 2024 01:14:34.371754885 CET231014970445.80.158.30192.168.2.5
                                        Dec 10, 2024 01:14:34.373522043 CET4970423101192.168.2.545.80.158.30
                                        Dec 10, 2024 01:14:34.492774963 CET231014970445.80.158.30192.168.2.5
                                        Dec 10, 2024 01:15:04.441955090 CET231014970445.80.158.30192.168.2.5
                                        Dec 10, 2024 01:15:04.443432093 CET4970423101192.168.2.545.80.158.30
                                        Dec 10, 2024 01:15:04.562664032 CET231014970445.80.158.30192.168.2.5
                                        Dec 10, 2024 01:15:34.457540989 CET231014970445.80.158.30192.168.2.5
                                        Dec 10, 2024 01:15:34.458826065 CET4970423101192.168.2.545.80.158.30
                                        Dec 10, 2024 01:15:34.580065012 CET231014970445.80.158.30192.168.2.5

                                        UDP Packets

                                        TimestampSource PortDest PortSource IPDest IP
                                        Dec 10, 2024 01:11:52.785886049 CET5600253192.168.2.51.1.1.1
                                        Dec 10, 2024 01:11:53.300714970 CET53560021.1.1.1192.168.2.5
                                        Dec 10, 2024 01:11:55.794099092 CET5582253192.168.2.51.1.1.1
                                        Dec 10, 2024 01:11:56.009937048 CET53558221.1.1.1192.168.2.5

                                        DNS Queries

                                        TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                        Dec 10, 2024 01:11:52.785886049 CET192.168.2.51.1.1.10x82bStandard query (0)rem.pushswroller.euA (IP address)IN (0x0001)false
                                        Dec 10, 2024 01:11:55.794099092 CET192.168.2.51.1.1.10x9b3cStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                        DNS Answers

                                        TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                        Dec 10, 2024 01:11:53.300714970 CET1.1.1.1192.168.2.50x82bNo error (0)rem.pushswroller.eu45.80.158.30A (IP address)IN (0x0001)false
                                        Dec 10, 2024 01:11:56.009937048 CET1.1.1.1192.168.2.50x9b3cNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                        HTTP Request Dependency Graph

                                        • geoplugin.net

                                        HTTP Packets

                                        Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                        0192.168.2.549705178.237.33.50804276C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe
                                        TimestampBytes transferredDirectionData
                                        Dec 10, 2024 01:11:56.133752108 CET71OUTGET /json.gp HTTP/1.1
                                        Host: geoplugin.net
                                        Cache-Control: no-cache
                                        Dec 10, 2024 01:11:57.375067949 CET1171INHTTP/1.1 200 OK
                                        date: Tue, 10 Dec 2024 00:11:57 GMT
                                        server: Apache
                                        content-length: 963
                                        content-type: application/json; charset=utf-8
                                        cache-control: public, max-age=300
                                        access-control-allow-origin: *
                                        Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 32 32 38 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                        Data Ascii: { "geoplugin_request":"8.46.123.228", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7503", "geoplugin_longitude":"-74.0014", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                        Statistics

                                        CPU Usage

                                        Click to jump to process

                                        Memory Usage

                                        Click to jump to process

                                        High Level Behavior Distribution

                                        Click to dive into process behavior distribution

                                        System Behavior

                                        General

                                        Target ID:0
                                        Start time:19:11:51
                                        Start date:09/12/2024
                                        Path:C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe
                                        Wow64 process (32bit):true
                                        Commandline:"C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe"
                                        Imagebase:0x400000
                                        File size:493'056 bytes
                                        MD5 hash:FD69BD4925FB7A2BB5798F2D2BE42CBC
                                        Has elevated privileges:true
                                        Has administrator privileges:true
                                        Programmed in:C, C++ or other language
                                        Yara matches:
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4449750727.000000000230F000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.2005439532.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.2005439532.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.2005439532.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.2005439532.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                        • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                        • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                        • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                        • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4449494395.000000000056E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                        Reputation:low
                                        Has exited:false

                                        Disassembly

                                        Reset < >

                                          Execution Graph

                                          Execution Coverage:4.2%
                                          Dynamic/Decrypted Code Coverage:0%
                                          Signature Coverage:22.5%
                                          Total number of Nodes:1349
                                          Total number of Limit Nodes:65
                                          execution_graph 46309 41d4d0 46311 41d4e6 _Yarn ___scrt_fastfail 46309->46311 46310 41d6e3 46315 41d734 46310->46315 46325 41d071 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 46310->46325 46311->46310 46330 431f99 21 API calls ___std_exception_copy 46311->46330 46314 41d6f4 46314->46315 46316 41d760 46314->46316 46326 431f99 21 API calls ___std_exception_copy 46314->46326 46316->46315 46333 41d474 21 API calls ___scrt_fastfail 46316->46333 46317 41d696 ___scrt_fastfail 46317->46315 46331 431f99 21 API calls ___std_exception_copy 46317->46331 46321 41d72d ___scrt_fastfail 46321->46315 46327 43264f 46321->46327 46323 41d6be ___scrt_fastfail 46323->46315 46332 431f99 21 API calls ___std_exception_copy 46323->46332 46325->46314 46326->46321 46334 43256f 46327->46334 46329 432657 46329->46316 46330->46317 46331->46323 46332->46310 46333->46315 46335 432588 46334->46335 46339 43257e 46334->46339 46335->46339 46340 431f99 21 API calls ___std_exception_copy 46335->46340 46337 4325a9 46337->46339 46341 43293a CryptAcquireContextA 46337->46341 46339->46329 46340->46337 46342 432956 46341->46342 46343 43295b CryptGenRandom 46341->46343 46342->46339 46343->46342 46344 432970 CryptReleaseContext 46343->46344 46344->46342 46345 426030 46350 4260f7 recv 46345->46350 46351 44e8b6 46352 44e8c1 46351->46352 46353 44e8e9 46352->46353 46354 44e8da 46352->46354 46355 44e8f8 46353->46355 46373 455573 27 API calls 2 library calls 46353->46373 46372 445354 20 API calls _free 46354->46372 46360 44b9be 46355->46360 46359 44e8df ___scrt_fastfail 46361 44b9d6 46360->46361 46362 44b9cb 46360->46362 46364 44b9de 46361->46364 46370 44b9e7 _strftime 46361->46370 46374 446aff 46362->46374 46381 446ac5 46364->46381 46366 44ba11 RtlReAllocateHeap 46368 44b9d3 46366->46368 46366->46370 46367 44b9ec 46387 445354 20 API calls _free 46367->46387 46368->46359 46370->46366 46370->46367 46388 442200 7 API calls 2 library calls 46370->46388 46372->46359 46373->46355 46375 446b3d 46374->46375 46380 446b0d _strftime 46374->46380 46390 445354 20 API calls _free 46375->46390 46376 446b28 RtlAllocateHeap 46378 446b3b 46376->46378 46376->46380 46378->46368 46380->46375 46380->46376 46389 442200 7 API calls 2 library calls 46380->46389 46382 446ad0 RtlFreeHeap 46381->46382 46383 446af9 _free 46381->46383 46382->46383 46384 446ae5 46382->46384 46383->46368 46391 445354 20 API calls _free 46384->46391 46386 446aeb GetLastError 46386->46383 46387->46368 46388->46370 46389->46380 46390->46378 46391->46386 46392 426091 46397 42610e send 46392->46397 46398 425e56 46399 425e6b 46398->46399 46407 425f0b 46398->46407 46400 425f5a 46399->46400 46401 425f9e 46399->46401 46404 425eee 46399->46404 46406 425eb9 46399->46406 46399->46407 46412 425f77 46399->46412 46413 425f25 46399->46413 46426 424354 50 API calls _Yarn 46399->46426 46400->46412 46430 424b7b 21 API calls 46400->46430 46401->46407 46431 4255c7 28 API calls 46401->46431 46404->46407 46404->46413 46428 424354 50 API calls _Yarn 46404->46428 46406->46404 46406->46407 46427 41f075 54 API calls 46406->46427 46412->46401 46412->46407 46414 424f78 46412->46414 46413->46400 46413->46407 46429 41f075 54 API calls 46413->46429 46415 424f97 ___scrt_fastfail 46414->46415 46417 424fa6 46415->46417 46420 424fcb 46415->46420 46432 41e097 21 API calls 46415->46432 46417->46420 46425 424fab 46417->46425 46433 41fad4 47 API calls 46417->46433 46420->46401 46421 424fb4 46421->46420 46436 424185 21 API calls 2 library calls 46421->46436 46423 42504e 46423->46420 46434 431f99 21 API calls ___std_exception_copy 46423->46434 46425->46420 46425->46421 46435 41cf6e 50 API calls 46425->46435 46426->46406 46427->46406 46428->46413 46429->46413 46430->46412 46431->46407 46432->46417 46433->46423 46434->46425 46435->46421 46436->46420 46437 43a998 46440 43a9a4 _swprintf __FrameHandler3::FrameUnwindToState 46437->46440 46438 43a9b2 46455 445354 20 API calls _free 46438->46455 46440->46438 46443 43a9dc 46440->46443 46441 43a9b7 46456 43a827 26 API calls _Deallocate 46441->46456 46450 444acc EnterCriticalSection 46443->46450 46445 43a9e7 46451 43aa88 46445->46451 46447 43a9c2 __fread_nolock 46450->46445 46453 43aa96 46451->46453 46452 43a9f2 46457 43aa0f LeaveCriticalSection std::_Lockit::~_Lockit 46452->46457 46453->46452 46458 448416 39 API calls 2 library calls 46453->46458 46455->46441 46456->46447 46457->46447 46458->46453 46459 414dba 46474 41a51b 46459->46474 46461 414dc3 46484 401fbd 46461->46484 46465 414dde 46466 4161f2 46465->46466 46489 401eea 46465->46489 46493 401d8c 46466->46493 46469 4161fb 46470 401eea 26 API calls 46469->46470 46471 416207 46470->46471 46472 401eea 26 API calls 46471->46472 46473 416213 46472->46473 46475 41a529 46474->46475 46499 43a88c 46475->46499 46478 41a55c InternetReadFile 46479 41a57f 46478->46479 46479->46478 46481 41a5ac InternetCloseHandle InternetCloseHandle 46479->46481 46483 401eea 26 API calls 46479->46483 46506 401f86 46479->46506 46482 41a5be 46481->46482 46482->46461 46483->46479 46485 401fcc 46484->46485 46517 402501 46485->46517 46487 401fea 46488 404468 60 API calls _Yarn 46487->46488 46488->46465 46491 4021b9 46489->46491 46490 4021e8 46490->46466 46491->46490 46522 40262e 26 API calls _Deallocate 46491->46522 46494 40200a 46493->46494 46498 40203a 46494->46498 46523 402654 26 API calls 46494->46523 46496 40202b 46524 4026ba 26 API calls _Deallocate 46496->46524 46498->46469 46504 446aff _strftime 46499->46504 46500 446b3d 46511 445354 20 API calls _free 46500->46511 46501 446b28 RtlAllocateHeap 46503 41a533 InternetOpenW InternetOpenUrlW 46501->46503 46501->46504 46503->46478 46504->46500 46504->46501 46510 442200 7 API calls 2 library calls 46504->46510 46507 401f8e 46506->46507 46512 402325 46507->46512 46509 401fa4 46509->46479 46510->46504 46511->46503 46513 40232f 46512->46513 46515 40233a 46513->46515 46516 40294a 28 API calls 46513->46516 46515->46509 46516->46515 46518 40250d 46517->46518 46519 40252b 46518->46519 46521 40261a 28 API calls 46518->46521 46519->46487 46521->46519 46522->46490 46523->46496 46524->46498 46525 402bcc 46526 402bd7 46525->46526 46527 402bdf 46525->46527 46543 403315 28 API calls 2 library calls 46526->46543 46529 402beb 46527->46529 46533 4015d3 46527->46533 46530 402bdd 46535 43360d 46533->46535 46534 43a88c ___std_exception_copy 21 API calls 46534->46535 46535->46534 46536 402be9 46535->46536 46538 43362e std::_Facet_Register 46535->46538 46544 442200 7 API calls 2 library calls 46535->46544 46539 433dec std::_Facet_Register 46538->46539 46545 437bd7 RaiseException 46538->46545 46546 437bd7 RaiseException 46539->46546 46542 433e09 46543->46530 46544->46535 46545->46539 46546->46542 46547 4339be 46548 4339ca __FrameHandler3::FrameUnwindToState 46547->46548 46579 4336b3 46548->46579 46550 4339d1 46551 433b24 46550->46551 46554 4339fb 46550->46554 46879 433b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46551->46879 46553 433b2b 46880 4426be 28 API calls _abort 46553->46880 46564 433a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46554->46564 46873 4434d1 5 API calls CatchGuardHandler 46554->46873 46556 433b31 46881 442670 28 API calls _abort 46556->46881 46559 433a14 46561 433a1a 46559->46561 46874 443475 5 API calls CatchGuardHandler 46559->46874 46560 433b39 46563 433a9b 46590 433c5e 46563->46590 46564->46563 46875 43edf4 38 API calls 4 library calls 46564->46875 46573 433abd 46573->46553 46574 433ac1 46573->46574 46575 433aca 46574->46575 46877 442661 28 API calls _abort 46574->46877 46878 433842 13 API calls 2 library calls 46575->46878 46578 433ad2 46578->46561 46580 4336bc 46579->46580 46882 433e0a IsProcessorFeaturePresent 46580->46882 46582 4336c8 46883 4379ee 10 API calls 3 library calls 46582->46883 46584 4336cd 46585 4336d1 46584->46585 46884 44335e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46584->46884 46585->46550 46587 4336da 46588 4336e8 46587->46588 46885 437a17 8 API calls 3 library calls 46587->46885 46588->46550 46886 436050 46590->46886 46593 433aa1 46594 443422 46593->46594 46888 44ddc9 46594->46888 46596 44342b 46598 433aaa 46596->46598 46892 44e0d3 38 API calls 46596->46892 46599 40d767 46598->46599 46894 41bce3 LoadLibraryA GetProcAddress 46599->46894 46601 40d783 GetModuleFileNameW 46899 40e168 46601->46899 46603 40d79f 46604 401fbd 28 API calls 46603->46604 46605 40d7ae 46604->46605 46606 401fbd 28 API calls 46605->46606 46607 40d7bd 46606->46607 46914 41afc3 46607->46914 46611 40d7cf 46612 401d8c 26 API calls 46611->46612 46613 40d7d8 46612->46613 46614 40d835 46613->46614 46615 40d7eb 46613->46615 46939 401d64 46614->46939 47193 40e986 111 API calls 46615->47193 46618 40d845 46621 401d64 28 API calls 46618->46621 46619 40d7fd 46620 401d64 28 API calls 46619->46620 46623 40d809 46620->46623 46622 40d864 46621->46622 46944 404cbf 46622->46944 47194 40e937 68 API calls 46623->47194 46625 40d873 46948 405ce6 46625->46948 46628 40d87f 46951 401eef 46628->46951 46629 40d824 47195 40e155 68 API calls 46629->47195 46632 40d88b 46633 401eea 26 API calls 46632->46633 46634 40d894 46633->46634 46636 401eea 26 API calls 46634->46636 46635 401eea 26 API calls 46637 40dc9f 46635->46637 46638 40d89d 46636->46638 46876 433c94 GetModuleHandleW 46637->46876 46639 401d64 28 API calls 46638->46639 46640 40d8a6 46639->46640 46955 401ebd 46640->46955 46642 40d8b1 46643 401d64 28 API calls 46642->46643 46644 40d8ca 46643->46644 46645 401d64 28 API calls 46644->46645 46647 40d8e5 46645->46647 46646 40d946 46648 401d64 28 API calls 46646->46648 46663 40e134 46646->46663 46647->46646 47196 4085b4 46647->47196 46654 40d95d 46648->46654 46650 40d912 46651 401eef 26 API calls 46650->46651 46652 40d91e 46651->46652 46655 401eea 26 API calls 46652->46655 46653 40d9a4 46959 40bed7 46653->46959 46654->46653 46660 4124b7 3 API calls 46654->46660 46657 40d927 46655->46657 47200 4124b7 RegOpenKeyExA 46657->47200 46658 40d9aa 46659 40d82d 46658->46659 46962 41a463 46658->46962 46659->46635 46665 40d988 46660->46665 47278 412902 30 API calls 46663->47278 46664 40d9c5 46666 40da18 46664->46666 46979 40697b 46664->46979 46665->46653 47203 412902 30 API calls 46665->47203 46668 401d64 28 API calls 46666->46668 46671 40da21 46668->46671 46680 40da32 46671->46680 46681 40da2d 46671->46681 46673 40e14a 47279 4112b5 64 API calls ___scrt_fastfail 46673->47279 46674 40d9e4 47204 40699d 30 API calls 46674->47204 46675 40d9ee 46679 401d64 28 API calls 46675->46679 46688 40d9f7 46679->46688 46685 401d64 28 API calls 46680->46685 47207 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46681->47207 46682 40d9e9 47205 4064d0 97 API calls 46682->47205 46686 40da3b 46685->46686 46983 41ae08 46686->46983 46688->46666 46691 40da13 46688->46691 46689 40da46 46987 401e18 46689->46987 47206 4064d0 97 API calls 46691->47206 46692 40da51 46991 401e13 46692->46991 46695 40da5a 46696 401d64 28 API calls 46695->46696 46697 40da63 46696->46697 46698 401d64 28 API calls 46697->46698 46699 40da7d 46698->46699 46700 401d64 28 API calls 46699->46700 46701 40da97 46700->46701 46702 401d64 28 API calls 46701->46702 46704 40dab0 46702->46704 46703 40db1d 46706 40db2c 46703->46706 46711 40dcaa ___scrt_fastfail 46703->46711 46704->46703 46705 401d64 28 API calls 46704->46705 46710 40dac5 _wcslen 46705->46710 46707 40db35 46706->46707 46735 40dbb1 ___scrt_fastfail 46706->46735 46708 401d64 28 API calls 46707->46708 46709 40db3e 46708->46709 46712 401d64 28 API calls 46709->46712 46710->46703 46713 401d64 28 API calls 46710->46713 47267 41265d RegOpenKeyExA 46711->47267 46714 40db50 46712->46714 46715 40dae0 46713->46715 46717 401d64 28 API calls 46714->46717 46719 401d64 28 API calls 46715->46719 46718 40db62 46717->46718 46722 401d64 28 API calls 46718->46722 46720 40daf5 46719->46720 47208 40c89e 46720->47208 46721 40dcef 46723 401d64 28 API calls 46721->46723 46724 40db8b 46722->46724 46725 40dd16 46723->46725 46730 401d64 28 API calls 46724->46730 47005 401f66 46725->47005 46728 401e18 26 API calls 46729 40db14 46728->46729 46732 401e13 26 API calls 46729->46732 46733 40db9c 46730->46733 46732->46703 47265 40bc67 46 API calls _wcslen 46733->47265 46734 40dd25 47009 4126d2 RegCreateKeyA 46734->47009 46995 4128a2 46735->46995 46740 40dc45 ctype 46744 401d64 28 API calls 46740->46744 46741 40dbac 46741->46735 46742 401d64 28 API calls 46743 40dd47 46742->46743 47015 43a5e7 46743->47015 46745 40dc5c 46744->46745 46745->46721 46749 40dc70 46745->46749 46748 40dd5e 47270 41beb0 87 API calls ___scrt_fastfail 46748->47270 46751 401d64 28 API calls 46749->46751 46750 40dd81 46754 401f66 28 API calls 46750->46754 46752 40dc7e 46751->46752 46755 41ae08 28 API calls 46752->46755 46757 40dd96 46754->46757 46758 40dc87 46755->46758 46756 40dd65 CreateThread 46756->46750 48000 41c96f 10 API calls 46756->48000 46759 401f66 28 API calls 46757->46759 47266 40e219 112 API calls 46758->47266 46761 40dda5 46759->46761 47019 41a686 46761->47019 46762 40dc8c 46762->46721 46764 40dc93 46762->46764 46764->46659 46766 401d64 28 API calls 46767 40ddb6 46766->46767 46768 401d64 28 API calls 46767->46768 46769 40ddcb 46768->46769 46770 401d64 28 API calls 46769->46770 46771 40ddeb 46770->46771 46772 43a5e7 _strftime 42 API calls 46771->46772 46773 40ddf8 46772->46773 46774 401d64 28 API calls 46773->46774 46775 40de03 46774->46775 46776 401d64 28 API calls 46775->46776 46777 40de14 46776->46777 46778 401d64 28 API calls 46777->46778 46779 40de29 46778->46779 46780 401d64 28 API calls 46779->46780 46781 40de3a 46780->46781 46782 40de41 StrToIntA 46781->46782 47043 409517 46782->47043 46785 401d64 28 API calls 46786 40de5c 46785->46786 46787 40dea1 46786->46787 46788 40de68 46786->46788 46790 401d64 28 API calls 46787->46790 47271 43360d 22 API calls 3 library calls 46788->47271 46792 40deb1 46790->46792 46791 40de71 46793 401d64 28 API calls 46791->46793 46796 40def9 46792->46796 46797 40debd 46792->46797 46794 40de84 46793->46794 46795 40de8b CreateThread 46794->46795 46795->46787 48003 419128 109 API calls 2 library calls 46795->48003 46799 401d64 28 API calls 46796->46799 47272 43360d 22 API calls 3 library calls 46797->47272 46800 40df02 46799->46800 46804 40df6c 46800->46804 46805 40df0e 46800->46805 46801 40dec6 46802 401d64 28 API calls 46801->46802 46803 40ded8 46802->46803 46808 40dedf CreateThread 46803->46808 46806 401d64 28 API calls 46804->46806 46807 401d64 28 API calls 46805->46807 46809 40df75 46806->46809 46810 40df1e 46807->46810 46808->46796 48002 419128 109 API calls 2 library calls 46808->48002 46811 40df81 46809->46811 46812 40dfba 46809->46812 46813 401d64 28 API calls 46810->46813 46815 401d64 28 API calls 46811->46815 47068 41a7a2 GetComputerNameExW GetUserNameW 46812->47068 46816 40df33 46813->46816 46818 40df8a 46815->46818 47273 40c854 32 API calls 46816->47273 46823 401d64 28 API calls 46818->46823 46819 401e18 26 API calls 46820 40dfce 46819->46820 46822 401e13 26 API calls 46820->46822 46825 40dfd7 46822->46825 46826 40df9f 46823->46826 46824 40df46 46827 401e18 26 API calls 46824->46827 46828 40dfe0 SetProcessDEPPolicy 46825->46828 46829 40dfe3 CreateThread 46825->46829 46834 43a5e7 _strftime 42 API calls 46826->46834 46830 40df52 46827->46830 46828->46829 46832 40e004 46829->46832 46833 40dff8 CreateThread 46829->46833 47971 40e54f 46829->47971 46831 401e13 26 API calls 46830->46831 46835 40df5b CreateThread 46831->46835 46836 40e00d CreateThread 46832->46836 46839 40e019 46832->46839 46833->46832 47998 410f36 138 API calls 46833->47998 46837 40dfac 46834->46837 46835->46804 47999 40196b 49 API calls _strftime 46835->47999 46836->46839 48001 411524 38 API calls ___scrt_fastfail 46836->48001 47274 40b95c 7 API calls 46837->47274 46838 40e073 47079 41246e RegOpenKeyExA 46838->47079 46839->46838 46841 401f66 28 API calls 46839->46841 46842 40e046 46841->46842 47275 404c9e 28 API calls 46842->47275 46846 40e053 46848 401f66 28 API calls 46846->46848 46847 40e12a 47091 40cbac 46847->47091 46850 40e062 46848->46850 46849 41ae08 28 API calls 46852 40e0a4 46849->46852 46853 41a686 79 API calls 46850->46853 47082 412584 RegOpenKeyExW 46852->47082 46855 40e067 46853->46855 46857 401eea 26 API calls 46855->46857 46857->46838 46860 401e13 26 API calls 46863 40e0c5 46860->46863 46861 40e0ed DeleteFileW 46862 40e0f4 46861->46862 46861->46863 46864 41ae08 28 API calls 46862->46864 46863->46861 46863->46862 46865 40e0db Sleep 46863->46865 46866 40e104 46864->46866 47276 401e07 46865->47276 47087 41297a RegOpenKeyExW 46866->47087 46869 40e117 46870 401e13 26 API calls 46869->46870 46871 40e121 46870->46871 46872 401e13 26 API calls 46871->46872 46872->46847 46873->46559 46874->46564 46875->46563 46876->46573 46877->46575 46878->46578 46879->46553 46880->46556 46881->46560 46882->46582 46883->46584 46884->46587 46885->46585 46887 433c71 GetStartupInfoW 46886->46887 46887->46593 46889 44ddd2 46888->46889 46891 44dddb 46888->46891 46893 44dcc8 51 API calls 3 library calls 46889->46893 46891->46596 46892->46596 46893->46891 46895 41bd22 LoadLibraryA GetProcAddress 46894->46895 46896 41bd12 GetModuleHandleA GetProcAddress 46894->46896 46897 41bd4b 32 API calls 46895->46897 46898 41bd3b LoadLibraryA GetProcAddress 46895->46898 46896->46895 46897->46601 46898->46897 47280 41a63f FindResourceA 46899->47280 46902 43a88c ___std_exception_copy 21 API calls 46903 40e192 _Yarn 46902->46903 46904 401f86 28 API calls 46903->46904 46905 40e1ad 46904->46905 46906 401eef 26 API calls 46905->46906 46907 40e1b8 46906->46907 46908 401eea 26 API calls 46907->46908 46909 40e1c1 46908->46909 46910 43a88c ___std_exception_copy 21 API calls 46909->46910 46911 40e1d2 _Yarn 46910->46911 47283 406052 46911->47283 46913 40e205 46913->46603 46934 41afd6 46914->46934 46915 41b046 46916 401eea 26 API calls 46915->46916 46917 41b078 46916->46917 46918 401eea 26 API calls 46917->46918 46920 41b080 46918->46920 46919 41b048 46921 403b60 28 API calls 46919->46921 46923 401eea 26 API calls 46920->46923 46924 41b054 46921->46924 46926 40d7c6 46923->46926 46927 401eef 26 API calls 46924->46927 46925 401eef 26 API calls 46925->46934 46935 40e8bd 46926->46935 46928 41b05d 46927->46928 46929 401eea 26 API calls 46928->46929 46931 41b065 46929->46931 46930 401eea 26 API calls 46930->46934 46932 41bfa9 28 API calls 46931->46932 46932->46915 46934->46915 46934->46919 46934->46925 46934->46930 47286 403b60 46934->47286 47289 41bfa9 46934->47289 46936 40e8ca 46935->46936 46938 40e8da 46936->46938 47339 40200a 26 API calls 46936->47339 46938->46611 46940 401d6c 46939->46940 46942 401d74 46940->46942 47340 401fff 28 API calls 46940->47340 46942->46618 46945 404ccb 46944->46945 47341 402e78 46945->47341 46947 404cee 46947->46625 47350 404bc4 46948->47350 46950 405cf4 46950->46628 46952 401efe 46951->46952 46954 401f0a 46952->46954 47359 4021b9 26 API calls 46952->47359 46954->46632 46957 401ec9 46955->46957 46956 401ee4 46956->46642 46957->46956 46958 402325 28 API calls 46957->46958 46958->46956 47360 401e8f 46959->47360 46961 40bee1 CreateMutexA GetLastError 46961->46658 47362 41b15b 46962->47362 46964 41a471 47366 412513 RegOpenKeyExA 46964->47366 46967 401eef 26 API calls 46968 41a49f 46967->46968 46969 401eea 26 API calls 46968->46969 46970 41a4a7 46969->46970 46971 41a4fa 46970->46971 46972 412513 31 API calls 46970->46972 46971->46664 46973 41a4cd 46972->46973 46974 41a4d8 StrToIntA 46973->46974 46975 41a4e6 46974->46975 46978 41a4ef 46974->46978 47371 41c102 28 API calls 46975->47371 46977 401eea 26 API calls 46977->46971 46978->46977 46980 40698f 46979->46980 46981 4124b7 3 API calls 46980->46981 46982 406996 46981->46982 46982->46674 46982->46675 46984 41ae1c 46983->46984 47372 40b027 46984->47372 46986 41ae24 46986->46689 46988 401e27 46987->46988 46990 401e33 46988->46990 47381 402121 26 API calls 46988->47381 46990->46692 46993 402121 46991->46993 46992 402150 46992->46695 46993->46992 47382 402718 26 API calls _Deallocate 46993->47382 46996 4128c0 46995->46996 46997 406052 28 API calls 46996->46997 46998 4128d5 46997->46998 46999 401fbd 28 API calls 46998->46999 47000 4128e5 46999->47000 47001 4126d2 29 API calls 47000->47001 47002 4128ef 47001->47002 47003 401eea 26 API calls 47002->47003 47004 4128fc 47003->47004 47004->46740 47006 401f6e 47005->47006 47383 402301 47006->47383 47010 412722 47009->47010 47012 4126eb 47009->47012 47011 401eea 26 API calls 47010->47011 47013 40dd3b 47011->47013 47014 4126fd RegSetValueExA RegCloseKey 47012->47014 47013->46742 47014->47010 47016 43a600 _strftime 47015->47016 47387 43993e 47016->47387 47020 41a737 47019->47020 47021 41a69c GetLocalTime 47019->47021 47023 401eea 26 API calls 47020->47023 47022 404cbf 28 API calls 47021->47022 47024 41a6de 47022->47024 47025 41a73f 47023->47025 47026 405ce6 28 API calls 47024->47026 47027 401eea 26 API calls 47025->47027 47028 41a6ea 47026->47028 47029 40ddaa 47027->47029 47421 4027cb 47028->47421 47029->46766 47031 41a6f6 47032 405ce6 28 API calls 47031->47032 47033 41a702 47032->47033 47424 406478 76 API calls 47033->47424 47035 41a710 47036 401eea 26 API calls 47035->47036 47037 41a71c 47036->47037 47038 401eea 26 API calls 47037->47038 47039 41a725 47038->47039 47040 401eea 26 API calls 47039->47040 47041 41a72e 47040->47041 47042 401eea 26 API calls 47041->47042 47042->47020 47044 409536 _wcslen 47043->47044 47045 409541 47044->47045 47046 409558 47044->47046 47047 40c89e 32 API calls 47045->47047 47048 40c89e 32 API calls 47046->47048 47049 409549 47047->47049 47050 409560 47048->47050 47051 401e18 26 API calls 47049->47051 47052 401e18 26 API calls 47050->47052 47067 409553 47051->47067 47053 40956e 47052->47053 47054 401e13 26 API calls 47053->47054 47055 409576 47054->47055 47444 40856b 28 API calls 47055->47444 47056 401e13 26 API calls 47058 4095ad 47056->47058 47429 409837 47058->47429 47059 409588 47445 4028cf 47059->47445 47063 409593 47064 401e18 26 API calls 47063->47064 47065 40959d 47064->47065 47066 401e13 26 API calls 47065->47066 47066->47067 47067->47056 47623 403b40 47068->47623 47072 41a7fd 47073 4028cf 28 API calls 47072->47073 47074 41a807 47073->47074 47075 401e13 26 API calls 47074->47075 47076 41a810 47075->47076 47077 401e13 26 API calls 47076->47077 47078 40dfc3 47077->47078 47078->46819 47080 40e08b 47079->47080 47081 41248f RegQueryValueExA RegCloseKey 47079->47081 47080->46847 47080->46849 47081->47080 47083 4125b0 RegQueryValueExW RegCloseKey 47082->47083 47084 4125dd 47082->47084 47083->47084 47085 403b40 28 API calls 47084->47085 47086 40e0ba 47085->47086 47086->46860 47088 412992 RegDeleteValueW 47087->47088 47089 4129a6 47087->47089 47088->47089 47090 4129a2 47088->47090 47089->46869 47090->46869 47092 40cbc5 47091->47092 47093 41246e 3 API calls 47092->47093 47094 40cbcc 47093->47094 47095 40cbeb 47094->47095 47645 401602 47094->47645 47099 413fd4 47095->47099 47097 40cbd9 47648 4127d5 RegCreateKeyA 47097->47648 47100 413feb 47099->47100 47665 41aa73 47100->47665 47102 413ff6 47103 401d64 28 API calls 47102->47103 47104 41400f 47103->47104 47105 43a5e7 _strftime 42 API calls 47104->47105 47106 41401c 47105->47106 47107 414021 Sleep 47106->47107 47108 41402e 47106->47108 47107->47108 47109 401f66 28 API calls 47108->47109 47110 41403d 47109->47110 47111 401d64 28 API calls 47110->47111 47112 41404b 47111->47112 47113 401fbd 28 API calls 47112->47113 47114 414053 47113->47114 47115 41afc3 28 API calls 47114->47115 47116 41405b 47115->47116 47669 404262 WSAStartup 47116->47669 47118 414065 47119 401d64 28 API calls 47118->47119 47120 41406e 47119->47120 47122 401d64 28 API calls 47120->47122 47169 4140ed 47120->47169 47121 401f66 28 API calls 47121->47169 47123 414087 47122->47123 47125 401d64 28 API calls 47123->47125 47124 401fbd 28 API calls 47124->47169 47126 414098 47125->47126 47129 401d64 28 API calls 47126->47129 47127 41afc3 28 API calls 47127->47169 47128 401d64 28 API calls 47128->47169 47130 4140a9 47129->47130 47131 401d64 28 API calls 47130->47131 47133 4140ba 47131->47133 47132 4085b4 28 API calls 47132->47169 47135 401d64 28 API calls 47133->47135 47134 401eef 26 API calls 47134->47169 47136 4140cb 47135->47136 47137 401d64 28 API calls 47136->47137 47138 4140dd 47137->47138 47802 404101 87 API calls 47138->47802 47140 41a686 79 API calls 47140->47169 47142 414244 WSAGetLastError 47803 41bc76 30 API calls 47142->47803 47148 414259 47151 401d8c 26 API calls 47148->47151 47152 401d64 28 API calls 47148->47152 47154 43a5e7 _strftime 42 API calls 47148->47154 47148->47169 47188 401f66 28 API calls 47148->47188 47189 41a686 79 API calls 47148->47189 47190 414b22 CreateThread 47148->47190 47191 401eea 26 API calls 47148->47191 47192 401e13 26 API calls 47148->47192 47804 404c9e 28 API calls 47148->47804 47806 40a767 84 API calls 47148->47806 47807 4047eb 98 API calls 47148->47807 47150 404cbf 28 API calls 47150->47169 47151->47148 47152->47148 47153 4027cb 28 API calls 47153->47169 47155 414b80 Sleep 47154->47155 47155->47148 47156 405ce6 28 API calls 47156->47169 47157 401eea 26 API calls 47157->47169 47160 4082dc 28 API calls 47160->47169 47161 440c51 26 API calls 47161->47169 47162 41265d 3 API calls 47162->47169 47163 412513 31 API calls 47163->47169 47164 403b40 28 API calls 47164->47169 47168 41ad46 28 API calls 47168->47169 47169->47121 47169->47124 47169->47127 47169->47128 47169->47132 47169->47134 47169->47140 47169->47142 47169->47148 47169->47150 47169->47153 47169->47156 47169->47157 47169->47160 47169->47161 47169->47162 47169->47163 47169->47164 47169->47168 47170 401d64 28 API calls 47169->47170 47670 413f9a 47169->47670 47675 4041f1 47169->47675 47682 404915 47169->47682 47697 40428c connect 47169->47697 47757 41a96d 47169->47757 47760 413683 47169->47760 47763 40cbf1 47169->47763 47769 41adee 47169->47769 47772 41aec8 47169->47772 47171 4144ed GetTickCount 47170->47171 47172 41ad46 28 API calls 47171->47172 47185 414507 47172->47185 47174 41ad46 28 API calls 47174->47185 47176 41aec8 28 API calls 47176->47185 47179 405ce6 28 API calls 47179->47185 47180 40275c 28 API calls 47180->47185 47181 4027cb 28 API calls 47181->47185 47183 401eea 26 API calls 47183->47185 47184 401e13 26 API calls 47184->47185 47185->47174 47185->47176 47185->47179 47185->47180 47185->47181 47185->47183 47185->47184 47776 41aca0 GetLastInputInfo GetTickCount 47185->47776 47777 41ac52 47185->47777 47782 40e679 GetLocaleInfoA 47185->47782 47785 4027ec 28 API calls 47185->47785 47786 4045d5 47185->47786 47805 404468 60 API calls _Yarn 47185->47805 47188->47148 47189->47148 47190->47148 47964 419e89 104 API calls 47190->47964 47191->47148 47192->47148 47193->46619 47194->46629 47197 4085c0 47196->47197 47198 402e78 28 API calls 47197->47198 47199 4085e4 47198->47199 47199->46650 47201 4124e1 RegQueryValueExA RegCloseKey 47200->47201 47202 41250b 47200->47202 47201->47202 47202->46646 47203->46653 47204->46682 47205->46675 47206->46666 47207->46680 47209 40c8ba 47208->47209 47210 40c8da 47209->47210 47211 40c90f 47209->47211 47212 40c8d0 47209->47212 47965 41a74b 29 API calls 47210->47965 47215 41b15b 2 API calls 47211->47215 47214 40ca03 GetLongPathNameW 47212->47214 47217 403b40 28 API calls 47214->47217 47218 40c914 47215->47218 47216 40c8e3 47221 401e18 26 API calls 47216->47221 47222 40ca18 47217->47222 47219 40c918 47218->47219 47220 40c96a 47218->47220 47224 403b40 28 API calls 47219->47224 47223 403b40 28 API calls 47220->47223 47225 40c8ed 47221->47225 47226 403b40 28 API calls 47222->47226 47227 40c978 47223->47227 47228 40c926 47224->47228 47231 401e13 26 API calls 47225->47231 47229 40ca27 47226->47229 47234 403b40 28 API calls 47227->47234 47235 403b40 28 API calls 47228->47235 47968 40cc37 28 API calls 47229->47968 47231->47212 47232 40ca3a 47969 402860 28 API calls 47232->47969 47237 40c98e 47234->47237 47238 40c93c 47235->47238 47236 40ca45 47970 402860 28 API calls 47236->47970 47967 402860 28 API calls 47237->47967 47966 402860 28 API calls 47238->47966 47242 40ca4f 47245 401e13 26 API calls 47242->47245 47243 40c999 47246 401e18 26 API calls 47243->47246 47244 40c947 47247 401e18 26 API calls 47244->47247 47248 40ca59 47245->47248 47249 40c9a4 47246->47249 47250 40c952 47247->47250 47251 401e13 26 API calls 47248->47251 47252 401e13 26 API calls 47249->47252 47253 401e13 26 API calls 47250->47253 47254 40ca62 47251->47254 47255 40c9ad 47252->47255 47256 40c95b 47253->47256 47257 401e13 26 API calls 47254->47257 47258 401e13 26 API calls 47255->47258 47259 401e13 26 API calls 47256->47259 47260 40ca6b 47257->47260 47258->47225 47259->47225 47261 401e13 26 API calls 47260->47261 47262 40ca74 47261->47262 47263 401e13 26 API calls 47262->47263 47264 40ca7d 47263->47264 47264->46728 47265->46741 47266->46762 47268 412683 RegQueryValueExA RegCloseKey 47267->47268 47269 4126a7 47267->47269 47268->47269 47269->46721 47270->46756 47271->46791 47272->46801 47273->46824 47274->46812 47275->46846 47277 401e0c 47276->47277 47278->46673 47281 40e183 47280->47281 47282 41a65c LoadResource LockResource SizeofResource 47280->47282 47281->46902 47282->47281 47284 401f86 28 API calls 47283->47284 47285 406066 47284->47285 47285->46913 47296 403c30 47286->47296 47290 41bfae 47289->47290 47291 41bfcb 47290->47291 47293 41bfd2 47290->47293 47331 41bfe3 28 API calls 47291->47331 47312 41c552 47293->47312 47294 41bfd0 47294->46934 47297 403c39 47296->47297 47300 403c59 47297->47300 47301 403c68 47300->47301 47306 4032a4 47301->47306 47303 403c74 47304 402325 28 API calls 47303->47304 47305 403b73 47304->47305 47305->46934 47307 4032b0 47306->47307 47308 4032ad 47306->47308 47311 4032b6 28 API calls 47307->47311 47308->47303 47313 41c55c __EH_prolog 47312->47313 47314 41c673 47313->47314 47315 41c595 47313->47315 47338 402649 28 API calls std::_Xinvalid_argument 47314->47338 47332 4026a7 28 API calls 47315->47332 47319 41c5a9 47333 41c536 28 API calls 47319->47333 47321 41c5dc 47322 41c603 47321->47322 47323 41c5f7 47321->47323 47335 41c7cf 26 API calls 47322->47335 47334 41c7b2 26 API calls 47323->47334 47326 41c601 47337 41c75a 26 API calls 47326->47337 47327 41c60f 47336 41c7cf 26 API calls 47327->47336 47330 41c63e 47330->47294 47331->47294 47332->47319 47333->47321 47334->47326 47335->47327 47336->47326 47337->47330 47339->46938 47343 402e85 47341->47343 47342 402ea9 47342->46947 47343->47342 47344 402e98 47343->47344 47345 402eae 47343->47345 47348 403445 28 API calls 47344->47348 47345->47342 47349 40225b 26 API calls 47345->47349 47348->47342 47349->47342 47351 404bd0 47350->47351 47354 40245c 47351->47354 47353 404be4 47353->46950 47355 402469 47354->47355 47357 402478 47355->47357 47358 402ad3 28 API calls 47355->47358 47357->47353 47358->47357 47359->46954 47361 401e94 47360->47361 47363 41b183 47362->47363 47364 41b168 GetCurrentProcess IsWow64Process 47362->47364 47363->46964 47364->47363 47365 41b17f 47364->47365 47365->46964 47367 412541 RegQueryValueExA RegCloseKey 47366->47367 47368 412569 47366->47368 47367->47368 47369 401f66 28 API calls 47368->47369 47370 41257e 47369->47370 47370->46967 47371->46978 47373 40b02f 47372->47373 47376 40b04b 47373->47376 47375 40b045 47375->46986 47377 40b055 47376->47377 47379 40b060 47377->47379 47380 40b138 28 API calls 47377->47380 47379->47375 47380->47379 47381->46990 47382->46992 47384 40230d 47383->47384 47385 402325 28 API calls 47384->47385 47386 401f80 47385->47386 47386->46734 47405 43a545 47387->47405 47389 43998b 47414 4392de 38 API calls 2 library calls 47389->47414 47391 439950 47391->47389 47392 439965 47391->47392 47404 40dd54 47391->47404 47412 445354 20 API calls _free 47392->47412 47394 43996a 47413 43a827 26 API calls _Deallocate 47394->47413 47397 439997 47398 4399c6 47397->47398 47415 43a58a 42 API calls __Toupper 47397->47415 47402 439a32 47398->47402 47416 43a4f1 26 API calls 2 library calls 47398->47416 47400 439af9 _strftime 47400->47404 47418 445354 20 API calls _free 47400->47418 47417 43a4f1 26 API calls 2 library calls 47402->47417 47404->46748 47404->46750 47406 43a54a 47405->47406 47407 43a55d 47405->47407 47419 445354 20 API calls _free 47406->47419 47407->47391 47409 43a54f 47420 43a827 26 API calls _Deallocate 47409->47420 47411 43a55a 47411->47391 47412->47394 47413->47404 47414->47397 47415->47397 47416->47402 47417->47400 47418->47404 47419->47409 47420->47411 47425 401e9b 47421->47425 47423 4027d9 47423->47031 47424->47035 47426 401ea7 47425->47426 47427 40245c 28 API calls 47426->47427 47428 401eb9 47427->47428 47428->47423 47430 409855 47429->47430 47431 4124b7 3 API calls 47430->47431 47432 40985c 47431->47432 47433 409870 47432->47433 47434 40988a 47432->47434 47436 4095cf 47433->47436 47437 409875 47433->47437 47448 4082dc 47434->47448 47436->46785 47439 4082dc 28 API calls 47437->47439 47440 409883 47439->47440 47474 409959 29 API calls 47440->47474 47443 409888 47443->47436 47444->47059 47614 402d8b 47445->47614 47447 4028dd 47447->47063 47449 4082eb 47448->47449 47475 408431 47449->47475 47451 408309 47452 4098a5 47451->47452 47480 40affa 47452->47480 47455 4098f6 47457 401f66 28 API calls 47455->47457 47456 4098ce 47458 401f66 28 API calls 47456->47458 47459 409901 47457->47459 47460 4098d8 47458->47460 47461 401f66 28 API calls 47459->47461 47462 41ae08 28 API calls 47460->47462 47463 409910 47461->47463 47464 4098e6 47462->47464 47466 41a686 79 API calls 47463->47466 47484 40a876 31 API calls ___std_exception_copy 47464->47484 47468 409915 CreateThread 47466->47468 47467 4098ed 47469 401eea 26 API calls 47467->47469 47470 409930 CreateThread 47468->47470 47471 40993c CreateThread 47468->47471 47496 4099a9 47468->47496 47469->47455 47470->47471 47493 409993 47470->47493 47472 401e13 26 API calls 47471->47472 47490 4099b5 47471->47490 47473 409950 47472->47473 47473->47436 47474->47443 47613 40999f 136 API calls 47474->47613 47477 40843d 47475->47477 47476 40845b 47476->47451 47477->47476 47479 402f0d 28 API calls 47477->47479 47479->47476 47482 40b006 47480->47482 47481 4098c3 47481->47455 47481->47456 47482->47481 47485 403b9e 47482->47485 47484->47467 47486 403ba8 47485->47486 47488 403bb3 47486->47488 47489 403cfd 28 API calls 47486->47489 47488->47481 47489->47488 47499 40a3f4 47490->47499 47548 4099e4 47493->47548 47569 409e48 47496->47569 47527 40a402 47499->47527 47500 4099be 47501 40a45c Sleep GetForegroundWindow GetWindowTextLengthW 47502 40b027 28 API calls 47501->47502 47502->47527 47506 40a4a2 GetWindowTextW 47506->47527 47508 40affa 28 API calls 47508->47527 47509 40a5ff 47511 401e13 26 API calls 47509->47511 47510 41aca0 GetLastInputInfo GetTickCount 47510->47527 47511->47500 47512 40a569 Sleep 47512->47527 47515 401f66 28 API calls 47515->47527 47516 40a4f1 47518 4082dc 28 API calls 47516->47518 47516->47527 47532 40a876 31 API calls ___std_exception_copy 47516->47532 47518->47516 47520 405ce6 28 API calls 47520->47527 47522 4028cf 28 API calls 47522->47527 47523 41ae08 28 API calls 47523->47527 47524 401e13 26 API calls 47524->47527 47525 409d58 27 API calls 47525->47527 47526 401eea 26 API calls 47526->47527 47527->47500 47527->47501 47527->47506 47527->47508 47527->47509 47527->47510 47527->47512 47527->47515 47527->47516 47527->47520 47527->47522 47527->47523 47527->47524 47527->47525 47527->47526 47528 433519 5 API calls __Init_thread_wait 47527->47528 47529 4338a5 29 API calls __onexit 47527->47529 47530 4334cf EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 47527->47530 47531 4082a8 28 API calls 47527->47531 47533 40b0dd 28 API calls 47527->47533 47534 40ae58 44 API calls 2 library calls 47527->47534 47535 440c51 47527->47535 47539 404c9e 28 API calls 47527->47539 47528->47527 47529->47527 47530->47527 47531->47527 47532->47516 47533->47527 47534->47527 47536 440c5d 47535->47536 47540 440a4d 47536->47540 47539->47527 47541 440a64 47540->47541 47545 440aa5 47541->47545 47546 445354 20 API calls _free 47541->47546 47543 440a9b 47547 43a827 26 API calls _Deallocate 47543->47547 47545->47527 47546->47543 47547->47545 47549 409a63 GetMessageA 47548->47549 47550 4099ff GetModuleHandleA SetWindowsHookExA 47548->47550 47551 409a75 TranslateMessage DispatchMessageA 47549->47551 47562 40999c 47549->47562 47550->47549 47552 409a1b GetLastError 47550->47552 47551->47549 47551->47562 47563 41ad46 47552->47563 47556 409a3e 47557 401f66 28 API calls 47556->47557 47558 409a4d 47557->47558 47559 41a686 79 API calls 47558->47559 47560 409a52 47559->47560 47561 401eea 26 API calls 47560->47561 47561->47562 47564 440c51 26 API calls 47563->47564 47565 41ad67 47564->47565 47566 401f66 28 API calls 47565->47566 47567 409a31 47566->47567 47568 404c9e 28 API calls 47567->47568 47568->47556 47570 409e5d Sleep 47569->47570 47589 409d97 47570->47589 47572 4099b2 47573 409e9d CreateDirectoryW 47578 409e6f 47573->47578 47574 409eae GetFileAttributesW 47574->47578 47575 401d64 28 API calls 47575->47578 47576 409ec5 SetFileAttributesW 47576->47578 47578->47570 47578->47572 47578->47573 47578->47574 47578->47575 47578->47576 47587 409f10 47578->47587 47601 41b58f 47578->47601 47579 409f3f PathFileExistsW 47579->47587 47581 401f86 28 API calls 47581->47587 47582 40a048 SetFileAttributesW 47582->47578 47583 401eea 26 API calls 47583->47587 47584 406052 28 API calls 47584->47587 47585 401eef 26 API calls 47585->47587 47587->47579 47587->47581 47587->47582 47587->47583 47587->47584 47587->47585 47588 401eea 26 API calls 47587->47588 47610 41b61a 32 API calls 47587->47610 47611 41b687 CreateFileW SetFilePointer WriteFile CloseHandle 47587->47611 47588->47578 47590 409e44 47589->47590 47592 409dad 47589->47592 47590->47578 47591 409dcc CreateFileW 47591->47592 47593 409dda GetFileSize 47591->47593 47592->47591 47594 409e0f CloseHandle 47592->47594 47595 409e21 47592->47595 47596 409e04 Sleep 47592->47596 47612 40a7f0 83 API calls 47592->47612 47593->47592 47593->47594 47594->47592 47595->47590 47598 4082dc 28 API calls 47595->47598 47596->47594 47599 409e3d 47598->47599 47600 4098a5 127 API calls 47599->47600 47600->47590 47602 41b5a2 CreateFileW 47601->47602 47604 41b5db 47602->47604 47605 41b5df 47602->47605 47604->47578 47606 41b5f6 WriteFile 47605->47606 47607 41b5e6 SetFilePointer 47605->47607 47608 41b60b CloseHandle 47606->47608 47609 41b609 47606->47609 47607->47606 47607->47608 47608->47604 47609->47608 47610->47587 47611->47587 47612->47596 47615 402d97 47614->47615 47618 4030f7 47615->47618 47617 402dab 47617->47447 47619 403101 47618->47619 47621 403115 47619->47621 47622 4036c2 28 API calls 47619->47622 47621->47617 47622->47621 47624 403b48 47623->47624 47630 403b7a 47624->47630 47627 403cbb 47634 403dc2 47627->47634 47629 403cc9 47629->47072 47631 403b86 47630->47631 47632 403b9e 28 API calls 47631->47632 47633 403b5a 47632->47633 47633->47627 47635 403dce 47634->47635 47638 402ffd 47635->47638 47637 403de3 47637->47629 47639 40300e 47638->47639 47640 4032a4 28 API calls 47639->47640 47641 40301a 47640->47641 47643 40302e 47641->47643 47644 4035e8 28 API calls 47641->47644 47643->47637 47644->47643 47651 4395ba 47645->47651 47649 412814 47648->47649 47650 4127ed RegSetValueExA RegCloseKey 47648->47650 47649->47095 47650->47649 47654 43953b 47651->47654 47653 401608 47653->47097 47655 43954a 47654->47655 47656 43955e 47654->47656 47662 445354 20 API calls _free 47655->47662 47660 43955a __alldvrm 47656->47660 47664 447601 11 API calls 2 library calls 47656->47664 47658 43954f 47663 43a827 26 API calls _Deallocate 47658->47663 47660->47653 47662->47658 47663->47660 47664->47660 47668 41aab9 _Yarn ___scrt_fastfail 47665->47668 47666 401f66 28 API calls 47667 41ab2e 47666->47667 47667->47102 47668->47666 47669->47118 47671 413fb3 getaddrinfo WSASetLastError 47670->47671 47672 413fa9 47670->47672 47671->47169 47808 413e37 35 API calls ___std_exception_copy 47672->47808 47674 413fae 47674->47671 47676 404206 socket 47675->47676 47677 4041fd 47675->47677 47679 404220 47676->47679 47680 404224 CreateEventW 47676->47680 47809 404262 WSAStartup 47677->47809 47679->47169 47680->47169 47681 404202 47681->47676 47681->47679 47683 4049b1 47682->47683 47684 40492a 47682->47684 47683->47169 47685 404933 47684->47685 47686 404987 CreateEventA CreateThread 47684->47686 47687 404942 GetLocalTime 47684->47687 47685->47686 47686->47683 47811 404b1d 47686->47811 47688 41ad46 28 API calls 47687->47688 47689 40495b 47688->47689 47810 404c9e 28 API calls 47689->47810 47691 404968 47692 401f66 28 API calls 47691->47692 47693 404977 47692->47693 47694 41a686 79 API calls 47693->47694 47695 40497c 47694->47695 47696 401eea 26 API calls 47695->47696 47696->47686 47698 4043e1 47697->47698 47699 4042b3 47697->47699 47700 404343 47698->47700 47701 4043e7 WSAGetLastError 47698->47701 47699->47700 47703 404cbf 28 API calls 47699->47703 47723 4042e8 47699->47723 47700->47169 47701->47700 47702 4043f7 47701->47702 47704 4042f7 47702->47704 47705 4043fc 47702->47705 47707 4042d4 47703->47707 47710 401f66 28 API calls 47704->47710 47820 41bc76 30 API calls 47705->47820 47711 401f66 28 API calls 47707->47711 47709 4042f0 47709->47704 47713 404306 47709->47713 47714 404448 47710->47714 47715 4042e3 47711->47715 47712 40440b 47821 404c9e 28 API calls 47712->47821 47720 404315 47713->47720 47721 40434c 47713->47721 47717 401f66 28 API calls 47714->47717 47718 41a686 79 API calls 47715->47718 47722 404457 47717->47722 47718->47723 47719 404418 47724 401f66 28 API calls 47719->47724 47725 401f66 28 API calls 47720->47725 47817 420f34 56 API calls 47721->47817 47726 41a686 79 API calls 47722->47726 47815 420151 27 API calls 47723->47815 47728 404427 47724->47728 47729 404324 47725->47729 47726->47700 47731 41a686 79 API calls 47728->47731 47735 401f66 28 API calls 47729->47735 47730 404354 47732 404389 47730->47732 47733 404359 47730->47733 47734 40442c 47731->47734 47819 4202ea 28 API calls 47732->47819 47736 401f66 28 API calls 47733->47736 47737 401eea 26 API calls 47734->47737 47738 404333 47735->47738 47740 404368 47736->47740 47737->47700 47741 41a686 79 API calls 47738->47741 47743 401f66 28 API calls 47740->47743 47744 404338 47741->47744 47742 404391 47745 4043be CreateEventW CreateEventW 47742->47745 47747 401f66 28 API calls 47742->47747 47746 404377 47743->47746 47816 41dc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47744->47816 47745->47700 47748 41a686 79 API calls 47746->47748 47750 4043a7 47747->47750 47751 40437c 47748->47751 47752 401f66 28 API calls 47750->47752 47818 420592 54 API calls 47751->47818 47753 4043b6 47752->47753 47755 41a686 79 API calls 47753->47755 47756 4043bb 47755->47756 47756->47745 47822 41a945 GlobalMemoryStatusEx 47757->47822 47759 41a982 47759->47169 47823 413646 47760->47823 47764 40cc0d 47763->47764 47765 41246e 3 API calls 47764->47765 47766 40cc14 47765->47766 47767 4124b7 3 API calls 47766->47767 47768 40cc2c 47766->47768 47767->47768 47768->47169 47770 401f86 28 API calls 47769->47770 47771 41ae03 47770->47771 47771->47169 47773 41aed5 47772->47773 47774 401f86 28 API calls 47773->47774 47775 41aee7 47774->47775 47775->47169 47776->47185 47778 436050 ___scrt_fastfail 47777->47778 47779 41ac71 GetForegroundWindow GetWindowTextW 47778->47779 47780 403b40 28 API calls 47779->47780 47781 41ac9b 47780->47781 47781->47185 47783 401f66 28 API calls 47782->47783 47784 40e69e 47783->47784 47784->47185 47785->47185 47794 4045ec 47786->47794 47787 43a88c ___std_exception_copy 21 API calls 47787->47794 47789 40465b 47791 404666 47789->47791 47789->47794 47790 401f86 28 API calls 47790->47794 47876 4047eb 98 API calls 47791->47876 47792 401eef 26 API calls 47792->47794 47794->47787 47794->47789 47794->47790 47794->47792 47796 401eea 26 API calls 47794->47796 47864 404688 47794->47864 47875 40455b 59 API calls 47794->47875 47795 40466d 47797 401eea 26 API calls 47795->47797 47796->47794 47798 404676 47797->47798 47799 401eea 26 API calls 47798->47799 47800 40467f 47799->47800 47800->47148 47802->47169 47803->47148 47804->47148 47805->47185 47806->47148 47807->47148 47808->47674 47809->47681 47810->47691 47814 404b29 101 API calls 47811->47814 47813 404b26 47814->47813 47815->47709 47816->47700 47817->47730 47818->47744 47819->47742 47820->47712 47821->47719 47822->47759 47826 413619 47823->47826 47827 41362e ___scrt_initialize_default_local_stdio_options 47826->47827 47830 43e2dd 47827->47830 47833 43b030 47830->47833 47834 43b070 47833->47834 47835 43b058 47833->47835 47834->47835 47837 43b078 47834->47837 47857 445354 20 API calls _free 47835->47857 47859 4392de 38 API calls 2 library calls 47837->47859 47838 43b05d 47858 43a827 26 API calls _Deallocate 47838->47858 47841 43b088 47860 43b7b6 20 API calls 2 library calls 47841->47860 47844 41363c 47844->47169 47845 43b100 47861 43be24 50 API calls 3 library calls 47845->47861 47847 43b10b 47862 43b820 20 API calls _free 47847->47862 47849 43b068 47850 433d2c 47849->47850 47851 433d37 IsProcessorFeaturePresent 47850->47851 47852 433d35 47850->47852 47854 4341a4 47851->47854 47852->47844 47863 434168 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47854->47863 47856 434287 47856->47844 47857->47838 47858->47849 47859->47841 47860->47845 47861->47847 47862->47849 47863->47856 47869 4046a3 47864->47869 47865 4047d8 47866 401eea 26 API calls 47865->47866 47867 4047e1 47866->47867 47867->47789 47868 403b60 28 API calls 47868->47869 47869->47865 47869->47868 47870 401eef 26 API calls 47869->47870 47871 401fbd 28 API calls 47869->47871 47872 401ebd 28 API calls 47869->47872 47874 401eea 26 API calls 47869->47874 47870->47869 47871->47869 47873 404772 CreateEventA CreateThread WaitForSingleObject CloseHandle 47872->47873 47873->47869 47877 414b9b 47873->47877 47874->47869 47875->47794 47876->47795 47878 401fbd 28 API calls 47877->47878 47879 414bbd SetEvent 47878->47879 47880 414bd2 47879->47880 47881 403b60 28 API calls 47880->47881 47882 414bec 47881->47882 47883 401fbd 28 API calls 47882->47883 47884 414bfc 47883->47884 47885 401fbd 28 API calls 47884->47885 47886 414c0e 47885->47886 47887 41afc3 28 API calls 47886->47887 47888 414c17 47887->47888 47889 4161f2 47888->47889 47891 414de3 47888->47891 47892 414c37 GetTickCount 47888->47892 47890 401d8c 26 API calls 47889->47890 47894 4161fb 47890->47894 47891->47889 47951 414d99 47891->47951 47893 41ad46 28 API calls 47892->47893 47895 414c4d 47893->47895 47896 401eea 26 API calls 47894->47896 47956 41aca0 GetLastInputInfo GetTickCount 47895->47956 47899 416207 47896->47899 47902 401eea 26 API calls 47899->47902 47900 414d7d 47900->47889 47901 414c54 47903 41ad46 28 API calls 47901->47903 47904 416213 47902->47904 47905 414c5f 47903->47905 47906 41ac52 30 API calls 47905->47906 47907 414c6d 47906->47907 47908 41aec8 28 API calls 47907->47908 47909 414c7b 47908->47909 47910 401d64 28 API calls 47909->47910 47911 414c89 47910->47911 47957 4027ec 28 API calls 47911->47957 47913 414c97 47958 40275c 28 API calls 47913->47958 47915 414ca6 47916 4027cb 28 API calls 47915->47916 47917 414cb5 47916->47917 47959 40275c 28 API calls 47917->47959 47919 414cc4 47920 4027cb 28 API calls 47919->47920 47921 414cd0 47920->47921 47960 40275c 28 API calls 47921->47960 47923 414cda 47961 404468 60 API calls _Yarn 47923->47961 47925 414ce9 47926 401eea 26 API calls 47925->47926 47927 414cf2 47926->47927 47928 401eea 26 API calls 47927->47928 47929 414cfe 47928->47929 47930 401eea 26 API calls 47929->47930 47931 414d0a 47930->47931 47932 401eea 26 API calls 47931->47932 47933 414d16 47932->47933 47934 401eea 26 API calls 47933->47934 47935 414d22 47934->47935 47936 401eea 26 API calls 47935->47936 47937 414d2e 47936->47937 47938 401e13 26 API calls 47937->47938 47939 414d3a 47938->47939 47940 401eea 26 API calls 47939->47940 47941 414d43 47940->47941 47942 401eea 26 API calls 47941->47942 47943 414d4c 47942->47943 47944 401d64 28 API calls 47943->47944 47945 414d57 47944->47945 47946 43a5e7 _strftime 42 API calls 47945->47946 47947 414d64 47946->47947 47948 414d69 47947->47948 47949 414d8f 47947->47949 47952 414d82 47948->47952 47953 414d77 47948->47953 47950 401d64 28 API calls 47949->47950 47950->47951 47951->47889 47963 404ab1 83 API calls 47951->47963 47955 404915 104 API calls 47952->47955 47962 4049ba 81 API calls 47953->47962 47955->47900 47956->47901 47957->47913 47958->47915 47959->47919 47960->47923 47961->47925 47962->47900 47963->47900 47965->47216 47966->47244 47967->47243 47968->47232 47969->47236 47970->47242 47973 40e56a 47971->47973 47972 4124b7 3 API calls 47972->47973 47973->47972 47974 40e60e 47973->47974 47976 40e5fe Sleep 47973->47976 47981 40e59c 47973->47981 47977 4082dc 28 API calls 47974->47977 47975 4082dc 28 API calls 47975->47981 47976->47973 47980 40e619 47977->47980 47979 41ae08 28 API calls 47979->47981 47982 41ae08 28 API calls 47980->47982 47981->47975 47981->47976 47981->47979 47986 401e13 26 API calls 47981->47986 47989 401f66 28 API calls 47981->47989 47993 4126d2 29 API calls 47981->47993 48004 40bf04 73 API calls ___scrt_fastfail 47981->48004 48005 412774 29 API calls 47981->48005 47984 40e625 47982->47984 48006 412774 29 API calls 47984->48006 47986->47981 47987 40e638 47988 401e13 26 API calls 47987->47988 47990 40e644 47988->47990 47989->47981 47991 401f66 28 API calls 47990->47991 47992 40e655 47991->47992 47994 4126d2 29 API calls 47992->47994 47993->47981 47995 40e668 47994->47995 48007 411699 TerminateProcess WaitForSingleObject 47995->48007 47997 40e670 ExitProcess 48008 411637 61 API calls 47998->48008 48005->47981 48006->47987 48007->47997

                                          Executed Functions

                                          Function 0041BCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                          • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                          • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                          • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                          • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                          • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                          • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                          • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                          • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                          • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                          • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                          • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                          • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                          • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BE09
                                          • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE16
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                          • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE2B
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BE2E
                                          • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                          • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE50
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BE53
                                          • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE60
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProc$HandleLibraryLoadModule
                                          • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                          • API String ID: 384173800-625181639
                                          • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                          • Instruction ID: 894fbade80705e672e772900be83df88f70523cf1842e1027a1ce5ee2e2841b6
                                          • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                          • Instruction Fuzzy Hash: 2831EDA0E4031C7ADA107FB69C49E5B7E9CD944B953110827B508D3162FBBDA9809EEE
                                          Function 0040D767 Relevance: 97.0, APIs: 13, Strings: 42, Instructions: 799COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 5 40d767-40d7e9 call 41bce3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afc3 call 40e8bd call 401d8c call 43e820 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 100 40e134-40e154 call 401e8f call 412902 call 4112b5 70->100 88 40d9b5-40d9bc 79->88 89 40d9ae-40d9b0 79->89 80->79 99 40d98e-40d9a4 call 401e8f call 412902 80->99 94 40d9c0-40d9cc call 41a463 88->94 95 40d9be 88->95 93 40dc95 89->93 93->49 104 40d9d5-40d9d9 94->104 105 40d9ce-40d9d0 94->105 95->94 99->79 108 40da18-40da2b call 401d64 call 401e8f 104->108 109 40d9db call 40697b 104->109 105->104 127 40da32-40daba call 401d64 call 41ae08 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 108->127 128 40da2d call 4069ba 108->128 117 40d9e0-40d9e2 109->117 120 40d9e4-40d9e9 call 40699d call 4064d0 117->120 121 40d9ee-40da01 call 401d64 call 401e8f 117->121 120->121 121->108 138 40da03-40da09 121->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a611 127->164 128->127 138->108 140 40da0b-40da11 138->140 140->108 142 40da13 call 4064d0 140->142 142->108 166 40dcaa-40dd01 call 436050 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->166 167 40db2c-40db33 163->167 164->163 190 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->190 220 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5e7 166->220 169 40dbb1-40dbbb call 4082d7 167->169 170 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 167->170 176 40dbc0-40dbe4 call 4022f8 call 4338c8 169->176 170->176 197 40dbf3 176->197 198 40dbe6-40dbf1 call 436050 176->198 190->163 203 40dbf5-40dc40 call 401e07 call 43e349 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 197->203 198->203 258 40dc45-40dc6a call 4338d1 call 401d64 call 40b125 203->258 272 40dd79-40dd7b 220->272 273 40dd5e 220->273 258->220 274 40dc70-40dc91 call 401d64 call 41ae08 call 40e219 258->274 276 40dd81 272->276 277 40dd7d-40dd7f 272->277 275 40dd60-40dd77 call 41beb0 CreateThread 273->275 274->220 292 40dc93 274->292 281 40dd87-40de66 call 401f66 * 2 call 41a686 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->281 276->281 277->275 330 40dea1 281->330 331 40de68-40de9f call 43360d call 401d64 call 401e8f CreateThread 281->331 292->93 332 40dea3-40debb call 401d64 call 401e8f 330->332 331->332 343 40def9-40df0c call 401d64 call 401e8f 332->343 344 40debd-40def4 call 43360d call 401d64 call 401e8f CreateThread 332->344 353 40df6c-40df7f call 401d64 call 401e8f 343->353 354 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 343->354 344->343 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5e7 call 40b95c 353->365 366 40dfba-40dfde call 41a7a2 call 401e18 call 401e13 353->366 354->353 365->366 386 40dfe0-40dfe1 SetProcessDEPPolicy 366->386 387 40dfe3-40dff6 CreateThread 366->387 386->387 391 40e004-40e00b 387->391 392 40dff8-40e002 CreateThread 387->392 396 40e019-40e020 391->396 397 40e00d-40e017 CreateThread 391->397 392->391 398 40e022-40e025 396->398 399 40e033-40e038 396->399 397->396 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a686 call 401eea 399->404 413 40e094-40e0d4 call 41ae08 call 401e07 call 412584 call 401e13 call 401e07 401->413 414 40e12a-40e12f call 40cbac call 413fd4 401->414 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 413->433 414->100 434 40e0f4-40e125 call 41ae08 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->414 435->434 437 40e0db-40e0e8 Sleep call 401e07 435->437 437->433
                                          APIs
                                            • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BCF8
                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD01
                                            • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD18
                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD1B
                                            • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD2D
                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD30
                                            • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD41
                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD44
                                            • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD55
                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD58
                                            • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD65
                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                            • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD75
                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                            • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD85
                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                            • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BD99
                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BD9C
                                            • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDA9
                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                            • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDBD
                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDC0
                                            • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDD1
                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD4
                                            • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDE5
                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE8
                                            • Part of subcall function 0041BCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BDF5
                                            • Part of subcall function 0041BCE3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                            • Part of subcall function 0041BCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE06
                                          • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe,00000104), ref: 0040D790
                                            • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                          • String ID: W$ W$0DG$@CG$@CG$Access Level: $Administrator$C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe$Exe$Exe$Inj$Remcos Agent initialized$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                          • API String ID: 2830904901-1684765304
                                          • Opcode ID: b1b9e19097ea38f7e43a77e5c6405951ca2b038e9443d122a172dcadd11023ab
                                          • Instruction ID: 4071723a11783d2da8da933f82134b9c6f3815e49c8d87d463163304bf45e319
                                          • Opcode Fuzzy Hash: b1b9e19097ea38f7e43a77e5c6405951ca2b038e9443d122a172dcadd11023ab
                                          • Instruction Fuzzy Hash: 4032A360B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                          Function 0040E54F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 88sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                            • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?, W), ref: 004124F5
                                            • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                          • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                          • ExitProcess.KERNEL32 ref: 0040E672
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseExitOpenProcessQuerySleepValue
                                          • String ID: W$5.3.0 Pro$override$pth_unenc$BG
                                          • API String ID: 2281282204-275362541
                                          • Opcode ID: f180ab47f223277a7e4a5a7b30372dd52af8f2688aadcd4541f101f1d00d282c
                                          • Instruction ID: 346becae97c590b24629de205d3f766cc2ad037e5fc603921d36f10068cff0f4
                                          • Opcode Fuzzy Hash: f180ab47f223277a7e4a5a7b30372dd52af8f2688aadcd4541f101f1d00d282c
                                          • Instruction Fuzzy Hash: 6B21A131B0030027C608767A891BA6F359A9B91719F90443EF805A76D7EE7D8A6083DF
                                          Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1306 4099e4-4099fd 1307 409a63-409a73 GetMessageA 1306->1307 1308 4099ff-409a19 GetModuleHandleA SetWindowsHookExA 1306->1308 1309 409a75-409a8d TranslateMessage DispatchMessageA 1307->1309 1310 409a8f 1307->1310 1308->1307 1311 409a1b-409a61 GetLastError call 41ad46 call 404c9e call 401f66 call 41a686 call 401eea 1308->1311 1309->1307 1309->1310 1312 409a91-409a96 1310->1312 1311->1312
                                          APIs
                                          • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                          • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                          • GetLastError.KERNEL32 ref: 00409A1B
                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                          • TranslateMessage.USER32(?), ref: 00409A7A
                                          • DispatchMessageA.USER32(?), ref: 00409A85
                                          Strings
                                          • Keylogger initialization failure: error , xrefs: 00409A32
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                          • String ID: Keylogger initialization failure: error
                                          • API String ID: 3219506041-952744263
                                          • Opcode ID: b25c238cc25c38f6a39b157eec7e909f885e780430bb9e72e24c2f6a8841eb99
                                          • Instruction ID: 76b292cdb4e6355f9a4176d1f10d626d2d11be3de55f9aee7ae49bf60faff0c2
                                          • Opcode Fuzzy Hash: b25c238cc25c38f6a39b157eec7e909f885e780430bb9e72e24c2f6a8841eb99
                                          • Instruction Fuzzy Hash: 201194716043015BC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAB
                                          Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1397 404915-404924 1398 4049b1 1397->1398 1399 40492a-404931 1397->1399 1400 4049b3-4049b7 1398->1400 1401 404933-404937 1399->1401 1402 404939-404940 1399->1402 1403 404987-4049af CreateEventA CreateThread 1401->1403 1402->1403 1404 404942-404982 GetLocalTime call 41ad46 call 404c9e call 401f66 call 41a686 call 401eea 1402->1404 1403->1400 1404->1403
                                          APIs
                                          • GetLocalTime.KERNEL32(00000001,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404946
                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404994
                                          • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                          Strings
                                          • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Create$EventLocalThreadTime
                                          • String ID: KeepAlive | Enabled | Timeout:
                                          • API String ID: 2532271599-1507639952
                                          • Opcode ID: 35453c4289c9b9740e7d5fc02d345a9090b78ad88d17a20c74762e0b12e92854
                                          • Instruction ID: c7daaf492e0cec12b0841424890a61be8e5b61f5a3177df3d8f4b9063cedc03f
                                          • Opcode Fuzzy Hash: 35453c4289c9b9740e7d5fc02d345a9090b78ad88d17a20c74762e0b12e92854
                                          • Instruction Fuzzy Hash: 38113AB19042547AC710A7BA8C49BCB7F9C9F86364F00407BF40462192C7789845CBFA
                                          Function 0043293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326C2,00000024,?,?,?), ref: 0043294C
                                          • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBBE,?), ref: 00432962
                                          • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBBE,?), ref: 00432974
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Crypt$Context$AcquireRandomRelease
                                          • String ID:
                                          • API String ID: 1815803762-0
                                          • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                          • Instruction ID: 80435fde6f6b62f03973a002229794bf261f16e8857de4c024377aa862d1bdf3
                                          • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                          • Instruction Fuzzy Hash: 11E06D31308211BBEB310E25BC08F573F94AF89B71F71053AB211E40E4C2A188419A1C
                                          Function 0041A7A2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetComputerNameExW.KERNEL32(00000001,?,0000002B,00474358), ref: 0041A7BF
                                          • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7D7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Name$ComputerUser
                                          • String ID:
                                          • API String ID: 4229901323-0
                                          • Opcode ID: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                          • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                          • Opcode Fuzzy Hash: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                          • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                          Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,8W,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID:
                                          • API String ID: 2299586839-0
                                          • Opcode ID: 2f0bd58ff2c46692be8fd04023cab22914861fe3b087e1ba55e03f3e1b92ba33
                                          • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                          • Opcode Fuzzy Hash: 2f0bd58ff2c46692be8fd04023cab22914861fe3b087e1ba55e03f3e1b92ba33
                                          • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                          Function 004260F7 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: recv
                                          • String ID:
                                          • API String ID: 1507349165-0
                                          • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                          • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                          • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                          • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                          Function 00413FD4 Relevance: 58.6, APIs: 5, Strings: 28, Instructions: 813sleepnetworkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 447 413fd4-41401f call 401faa call 41aa73 call 401faa call 401d64 call 401e8f call 43a5e7 460 414021-414028 Sleep 447->460 461 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afc3 call 404262 call 401d64 call 40b125 447->461 460->461 476 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afc3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 461->476 477 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 461->477 530 41419a-4141a1 476->530 531 41418c-414198 476->531 477->476 532 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 530->532 531->532 559 414244-41428a WSAGetLastError call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 532->559 560 41428f-41429d call 4041f1 532->560 582 414b54-414b66 call 4047eb call 4020b4 559->582 565 4142ca-4142df call 404915 call 40428c 560->565 566 41429f-4142c5 call 401f66 * 2 call 41a686 560->566 581 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a686 call 401eea * 4 call 41a96d call 413683 call 4082dc call 440c51 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 565->581 565->582 566->582 647 414434-414441 call 40541d 581->647 648 414446-41446d call 401e8f call 412513 581->648 596 414b68-414b88 call 401d64 call 401e8f call 43a5e7 Sleep 582->596 597 414b8e-414b96 call 401d8c 582->597 596->597 597->476 647->648 654 414474-414830 call 403b40 call 40cbf1 call 41adee call 41aec8 call 41ad46 call 401d64 GetTickCount call 41ad46 call 41aca0 call 41ad46 * 2 call 41ac52 call 41aec8 * 5 call 40e679 call 41aec8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c 648->654 655 41446f-414471 648->655 781 414832 call 404468 654->781 655->654 782 414837-414abb call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 781->782 900 414ac0-414ac7 782->900 901 414ac9-414ad0 900->901 902 414adb-414ae2 900->902 901->902 903 414ad2-414ad4 901->903 904 414ae4-414ae9 call 40a767 902->904 905 414aee-414b20 call 405415 call 401f66 * 2 call 41a686 902->905 903->902 904->905 916 414b22-414b2e CreateThread 905->916 917 414b34-414b4f call 401eea * 2 call 401e13 905->917 916->917 917->582
                                          APIs
                                          • Sleep.KERNEL32(00000000,00000029, W,?,00000000), ref: 00414028
                                          • WSAGetLastError.WS2_32 ref: 00414249
                                          • Sleep.KERNEL32(00000000,00000002), ref: 00414B88
                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep$ErrorLastLocalTime
                                          • String ID: | $ W$ W$%I64u$5.3.0 Pro$8W$@CG$C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$TLS Off$TLS On $TUF$XCG$XCG$XCG$XdW$`=G$dCG$hlight$name$>G$>G$BG
                                          • API String ID: 524882891-3405685899
                                          • Opcode ID: fca68079dd900bc6d99faabe8a22bf21da005c8c3fab8802bfc78db5b39eee7d
                                          • Instruction ID: a0bb0b13232d9f5991351636829aab2dda2428bc81dc0b9639db3628de0ead2f
                                          • Opcode Fuzzy Hash: fca68079dd900bc6d99faabe8a22bf21da005c8c3fab8802bfc78db5b39eee7d
                                          • Instruction Fuzzy Hash: 58524E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D
                                          Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • Sleep.KERNEL32(00001388), ref: 00409E62
                                            • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                            • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                            • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                            • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                          • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                          • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                            • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                          • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                          • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                          • API String ID: 3795512280-3163867910
                                          • Opcode ID: 478d1cbae2b352f7a85ddd3b94cb29f0f84926477ce6454f32d463d399d219e0
                                          • Instruction ID: b7dfc09a395f5416f32c5fe597dbb364f69b6ed32616efff49b152d1c9b912f4
                                          • Opcode Fuzzy Hash: 478d1cbae2b352f7a85ddd3b94cb29f0f84926477ce6454f32d463d399d219e0
                                          • Instruction Fuzzy Hash: 30518D716043005ACB05BB72D866ABF769AAFD1309F00053FF886B71E2DF3D9D44869A
                                          Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1022 40428c-4042ad connect 1023 4043e1-4043e5 1022->1023 1024 4042b3-4042b6 1022->1024 1027 4043e7-4043f5 WSAGetLastError 1023->1027 1028 40445f 1023->1028 1025 4043da-4043dc 1024->1025 1026 4042bc-4042bf 1024->1026 1029 404461-404465 1025->1029 1030 4042c1-4042e8 call 404cbf call 401f66 call 41a686 1026->1030 1031 4042eb-4042f5 call 420151 1026->1031 1027->1028 1032 4043f7-4043fa 1027->1032 1028->1029 1030->1031 1044 404306-404313 call 420373 1031->1044 1045 4042f7-404301 1031->1045 1034 404439-40443e 1032->1034 1035 4043fc-404437 call 41bc76 call 404c9e call 401f66 call 41a686 call 401eea 1032->1035 1037 404443-40445c call 401f66 * 2 call 41a686 1034->1037 1035->1028 1037->1028 1054 404315-404338 call 401f66 * 2 call 41a686 1044->1054 1055 40434c-404357 call 420f34 1044->1055 1045->1037 1084 40433b-404347 call 420191 1054->1084 1067 404389-404396 call 4202ea 1055->1067 1068 404359-404387 call 401f66 * 2 call 41a686 call 420592 1055->1068 1081 404398-4043bb call 401f66 * 2 call 41a686 1067->1081 1082 4043be-4043d7 CreateEventW * 2 1067->1082 1068->1084 1081->1082 1082->1025 1084->1028
                                          APIs
                                          • connect.WS2_32(?,?,?), ref: 004042A5
                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                          • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                          • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                          • API String ID: 994465650-2151626615
                                          • Opcode ID: da33fcb12fc8fa225914991ff724b524bff1c68ebbc9632bded2e3fb966eaf16
                                          • Instruction ID: b196b808fbc66b1ac8da6b4b51d7f626a0d3d22bc4cde50e21f83cd2c7739b74
                                          • Opcode Fuzzy Hash: da33fcb12fc8fa225914991ff724b524bff1c68ebbc9632bded2e3fb966eaf16
                                          • Instruction Fuzzy Hash: ED4128B1B00202A7CB04B77A8C5B66D7A55AB81368B40007FF901676D3EE7DAD6087DF
                                          Function 0040A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • __Init_thread_footer.LIBCMT ref: 0040A456
                                          • Sleep.KERNEL32(000001F4), ref: 0040A461
                                          • GetForegroundWindow.USER32 ref: 0040A467
                                          • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                          • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                          • Sleep.KERNEL32(000003E8), ref: 0040A574
                                            • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                          • String ID: [${ User has been idle for $ minutes }$]
                                          • API String ID: 911427763-3954389425
                                          • Opcode ID: 547a7cfd8ecb315c382de053530a614a00025319d5b4f46ac54375dc0518001e
                                          • Instruction ID: 0ecdfa35f4bf358d0b6072dbfc0ad8fc4f94b2a12b5a089c7f39fa9b67fb4d59
                                          • Opcode Fuzzy Hash: 547a7cfd8ecb315c382de053530a614a00025319d5b4f46ac54375dc0518001e
                                          • Instruction Fuzzy Hash: C451DF316083005BC614FB21D84AAAE7794BF84318F50493FF846A62E2EF7C9E55C69F
                                          Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1177 40c89e-40c8c3 call 401e52 1180 40c8c9 1177->1180 1181 40c9ed-40ca13 call 401e07 GetLongPathNameW call 403b40 1177->1181 1182 40c8d0-40c8d5 1180->1182 1183 40c9c2-40c9c7 1180->1183 1184 40c905-40c90a 1180->1184 1185 40c9d8 1180->1185 1186 40c9c9-40c9ce call 43ac0f 1180->1186 1187 40c8da-40c8e8 call 41a74b call 401e18 1180->1187 1188 40c8fb-40c900 1180->1188 1189 40c9bb-40c9c0 1180->1189 1190 40c90f-40c916 call 41b15b 1180->1190 1207 40ca18-40ca85 call 403b40 call 40cc37 call 402860 * 2 call 401e13 * 5 1181->1207 1192 40c9dd-40c9e2 call 43ac0f 1182->1192 1183->1192 1184->1192 1185->1192 1197 40c9d3-40c9d6 1186->1197 1210 40c8ed 1187->1210 1188->1192 1189->1192 1202 40c918-40c968 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1190->1202 1203 40c96a-40c9b6 call 403b40 call 43ac0f call 403b40 call 402860 call 401e18 call 401e13 * 2 1190->1203 1204 40c9e3-40c9e8 call 4082d7 1192->1204 1197->1185 1197->1204 1215 40c8f1-40c8f6 call 401e13 1202->1215 1203->1210 1204->1181 1210->1215 1215->1181
                                          APIs
                                          • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LongNamePath
                                          • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                          • API String ID: 82841172-425784914
                                          • Opcode ID: f411b4bda197469a8f5fa6f0702ce682b0f23decd79daaf3752e96957329e7a7
                                          • Instruction ID: 51cedb133b73bca78a9fc1065318242b3d6e678e936cb09da4a185c9a299c852
                                          • Opcode Fuzzy Hash: f411b4bda197469a8f5fa6f0702ce682b0f23decd79daaf3752e96957329e7a7
                                          • Instruction Fuzzy Hash: 39413A721442009BC214FB21DD96DAFB7A4AE90759F10063FB546720E2EE7CAA49C69F
                                          Function 0041A463 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 59COMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                            • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                            • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                            • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                            • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                            • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                          • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4D9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CloseCurrentOpenQueryValueWow64
                                          • String ID: (32 bit)$ (64 bit)$8W$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                          • API String ID: 782494840-2522655304
                                          • Opcode ID: 2b18f229538df81ea9d982a80dc21e3ef646ce9f87e0def4b65cb5a9171dabf9
                                          • Instruction ID: 19977b185b3bcff34fa520d2ecc4782d624f476aadfe6515b429a208ce335d2f
                                          • Opcode Fuzzy Hash: 2b18f229538df81ea9d982a80dc21e3ef646ce9f87e0def4b65cb5a9171dabf9
                                          • Instruction Fuzzy Hash: EF11E9A060020166C704B365DCABDBF765ADB90304F50443FB906E31D2EB6C9E9683EE
                                          Function 0041A51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1347 41a51b-41a55a call 401faa call 43a88c InternetOpenW InternetOpenUrlW 1352 41a55c-41a57d InternetReadFile 1347->1352 1353 41a5a3-41a5a6 1352->1353 1354 41a57f-41a59f call 401f86 call 402f08 call 401eea 1352->1354 1356 41a5a8-41a5aa 1353->1356 1357 41a5ac-41a5b9 InternetCloseHandle * 2 call 43a887 1353->1357 1354->1353 1356->1352 1356->1357 1360 41a5be-41a5c8 1357->1360
                                          APIs
                                          • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A53E
                                          • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A554
                                          • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A56D
                                          • InternetCloseHandle.WININET(00000000), ref: 0041A5B3
                                          • InternetCloseHandle.WININET(00000000), ref: 0041A5B6
                                          Strings
                                          • http://geoplugin.net/json.gp, xrefs: 0041A54E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Internet$CloseHandleOpen$FileRead
                                          • String ID: http://geoplugin.net/json.gp
                                          • API String ID: 3121278467-91888290
                                          • Opcode ID: a574e59ae2a6d8659b3b708bfc28c48046a6cfc8e174729ee45d25f2e2c52857
                                          • Instruction ID: 402fbdb1aff19a1981f8347c65821a4f206ec005c70a85ea4635686413b1fe25
                                          • Opcode Fuzzy Hash: a574e59ae2a6d8659b3b708bfc28c48046a6cfc8e174729ee45d25f2e2c52857
                                          • Instruction Fuzzy Hash: 2711C87110A3126BD214AA169C45DBF7FDCEF46365F00053EF905D2191DB689C48C6B6
                                          Function 004126D2 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 37registryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1365 4126d2-4126e9 RegCreateKeyA 1366 412722 1365->1366 1367 4126eb-412720 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1365->1367 1369 412724-412730 call 401eea 1366->1369 1367->1369
                                          APIs
                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                          • RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000, W,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                          • RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseCreateValue
                                          • String ID: W$HgF$pth_unenc
                                          • API String ID: 1818849710-3061142282
                                          • Opcode ID: 1bd7bc63bfcb718f8a00b857ba0206b1347799401e36ec3cc1597cb67c32c774
                                          • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                          • Opcode Fuzzy Hash: 1bd7bc63bfcb718f8a00b857ba0206b1347799401e36ec3cc1597cb67c32c774
                                          • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                          Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          APIs
                                          • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                                          • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                                          • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 00409946
                                            • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                            • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateThread$LocalTimewsprintf
                                          • String ID: Offline Keylogger Started
                                          • API String ID: 465354869-4114347211
                                          • Opcode ID: 12a7e14b742792f2f7edc51aeeb20cb2f460560c35512bbf3bc1a56244271605
                                          • Instruction ID: 73cd13916ef890eca76c0e29a3751801184202c96e3ca0ae9416a03768ca9078
                                          • Opcode Fuzzy Hash: 12a7e14b742792f2f7edc51aeeb20cb2f460560c35512bbf3bc1a56244271605
                                          • Instruction Fuzzy Hash: CF11ABB15003097AD220BA36DC87CBF765CDA813A8B40053EF845225D3EA785E54C6FB
                                          Function 0041265D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 41registryCOMMON
                                          Download Yara Rule

                                          Control-flow Graph

                                          • Executed
                                          • Not Executed
                                          control_flow_graph 1414 41265d-412681 RegOpenKeyExA 1415 412683-4126a5 RegQueryValueExA RegCloseKey 1414->1415 1416 4126cd 1414->1416 1415->1416 1418 4126a7-4126cb call 405f31 call 405fb6 1415->1418 1417 4126cf-4126d1 1416->1417 1418->1417
                                          APIs
                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000, W), ref: 00412679
                                          • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                          • RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID: W
                                          • API String ID: 3677997916-3818464504
                                          • Opcode ID: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                          • Instruction ID: c18416eb0b1572374c3e2b3be0649ca89fc6f9e16ed4320a44d925c8ae57db2a
                                          • Opcode Fuzzy Hash: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                          • Instruction Fuzzy Hash: BD018131404229FBDF216FA1DC45DDF7F78EF11754F004065BA04A21A1D7758AB5DBA8
                                          Function 004124B7 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                          • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?, W), ref: 004124F5
                                          • RegCloseKey.KERNEL32(?), ref: 00412500
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID: W
                                          • API String ID: 3677997916-3818464504
                                          • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                          • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                          • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                          • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                          Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                          • RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                          • RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseCreateValue
                                          • String ID: TUF
                                          • API String ID: 1818849710-3431404234
                                          • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                          • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                          • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                          • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                          Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                          • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                          • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                          • String ID:
                                          • API String ID: 3360349984-0
                                          • Opcode ID: 72b013782cf94b1f3d34b8331976b904c6ebf93714f67b57431e08570f282644
                                          • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                          • Opcode Fuzzy Hash: 72b013782cf94b1f3d34b8331976b904c6ebf93714f67b57431e08570f282644
                                          • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                          Function 0041B58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                          • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5EB
                                          • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B5FF
                                          • CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B60C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseCreateHandlePointerWrite
                                          • String ID:
                                          • API String ID: 3604237281-0
                                          • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                          • Instruction ID: 083799f3d1f95ebfb1fb2bbe8bc155d348f6fb5eb74ded268dd94cd43ec1eb57
                                          • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                          • Instruction Fuzzy Hash: 7501F5712092157FE6104F28AC89EBB739EEB86379F10063AF552C22C0D725CD8586BE
                                          Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CountEventTick
                                          • String ID: >G
                                          • API String ID: 180926312-1296849874
                                          • Opcode ID: 494e4742813bfaf0bd915db18e072b49ee0bfd3b9149fbb59dce401fa11b8fea
                                          • Instruction ID: d5b3ec7783a4dd7183bbf31121b5a8e130ff38f85bff4fd723ced1f164cd3d8d
                                          • Opcode Fuzzy Hash: 494e4742813bfaf0bd915db18e072b49ee0bfd3b9149fbb59dce401fa11b8fea
                                          • Instruction Fuzzy Hash: 1A5170315042409AC624FB71D8A2AEF73A5AFD1314F40853FF94A671E2EF389949C69A
                                          Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                          • GetLastError.KERNEL32 ref: 0040BEF1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateErrorLastMutex
                                          • String ID: W
                                          • API String ID: 1925916568-3818464504
                                          • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                          • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                          • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                          • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                          Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                          • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                          • RegCloseKey.KERNEL32(?), ref: 0041255F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID:
                                          • API String ID: 3677997916-0
                                          • Opcode ID: 1a25bcfb25f4c61a33ed6ceb80866840e5ee7adcdacacd2e2e41860cf5e9bac8
                                          • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                          • Opcode Fuzzy Hash: 1a25bcfb25f4c61a33ed6ceb80866840e5ee7adcdacacd2e2e41860cf5e9bac8
                                          • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                          Function 0041246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                          • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                          • RegCloseKey.KERNEL32(?,?,?,0040B996,004660E0), ref: 004124A4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseOpenQueryValue
                                          • String ID:
                                          • API String ID: 3677997916-0
                                          • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                          • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                                          • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                          • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                                          Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _wcslen
                                          • String ID: xAG
                                          • API String ID: 176396367-2759412365
                                          • Opcode ID: 5b2808d6a420319a8e352f948dca3b51851caf84ac7e067c3f15d365214f07ca
                                          • Instruction ID: 4b5f0267b16b6d1f94f05398eea60063c36f9fdec9e789d07f1c8464d26cb595
                                          • Opcode Fuzzy Hash: 5b2808d6a420319a8e352f948dca3b51851caf84ac7e067c3f15d365214f07ca
                                          • Instruction Fuzzy Hash: 751193325002049FCB15FF66D8968EF7BA4EF64314B10453FF842622E2EF38A955CB98
                                          Function 0041A945 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON
                                          Download Yara Rule
                                          APIs
                                          • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041A959
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: GlobalMemoryStatus
                                          • String ID: @
                                          • API String ID: 1890195054-2766056989
                                          • Opcode ID: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                          • Instruction ID: dd145fffdacd7bda74fa2c6e5abe56fe406d4b7e613986be5c07feff288e4f4e
                                          • Opcode Fuzzy Hash: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                          • Instruction Fuzzy Hash: EFD067B99013189FCB20DFA8E945A8DBBF8FB48214F004529E946E3344E774E945CB95
                                          Function 0044B9BE Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 0044B9DF
                                            • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                          • RtlReAllocateHeap.NTDLL(00000000,00475D30,?,00000004,00000000,?,0044E90A,00475D30,00000004,?,00475D30,?,?,00443125,00475D30,?), ref: 0044BA1B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap$_free
                                          • String ID:
                                          • API String ID: 1482568997-0
                                          • Opcode ID: 4aeba00e3fff788b378028bf06d7bcfcb791a64fa1e6dc072cb532da7a87caba
                                          • Instruction ID: 12956794463f81a5c067cbc08b9f94d22fea268b9007f3edb04f63306941b305
                                          • Opcode Fuzzy Hash: 4aeba00e3fff788b378028bf06d7bcfcb791a64fa1e6dc072cb532da7a87caba
                                          • Instruction Fuzzy Hash: D6F0F67210051167FF212A27AC01B6B2B2CDFC27B1F15012BFA18AA292DF6CCC0191EE
                                          Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • socket.WS2_32(?,00000001,00000006), ref: 00404212
                                            • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                          • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateEventStartupsocket
                                          • String ID:
                                          • API String ID: 1953588214-0
                                          • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                          • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                                          • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                          • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                                          Function 0043360D Relevance: 3.0, APIs: 2, Instructions: 38COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00433DE7
                                            • Part of subcall function 00437BD7: RaiseException.KERNEL32(?,?,00434411,?,?,?,?,?,?,?,?,00434411,?,0046D644,0041AD75,?), ref: 00437C37
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00433E04
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Exception@8Throw$ExceptionRaise
                                          • String ID:
                                          • API String ID: 3476068407-0
                                          • Opcode ID: a80fbdf5468804761b56489a3a39c56644ed3c61f36a154b7cd34dcf14c41ed8
                                          • Instruction ID: 1b32a2814776e74a5aaecdac66354fa275a8f3c838098619b8de34dc4906cb01
                                          • Opcode Fuzzy Hash: a80fbdf5468804761b56489a3a39c56644ed3c61f36a154b7cd34dcf14c41ed8
                                          • Instruction Fuzzy Hash: 33F02B30C0020D77CB14BEA5E80699D772C4D08319F20923BB920915E1EF7CEB05858D
                                          Function 0041AC52 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetForegroundWindow.USER32 ref: 0041AC74
                                          • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041AC87
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Window$ForegroundText
                                          • String ID:
                                          • API String ID: 29597999-0
                                          • Opcode ID: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                          • Instruction ID: 3cf16c2a8257e52241c70e3f2477159e0ff99a2dafdd86ddfb3cfc0a4d760bbd
                                          • Opcode Fuzzy Hash: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                          • Instruction Fuzzy Hash: 56E04875A0031467EB24A765AC4EFDA766C9704715F0000B9BA19D21C3E9B4EA04CBE4
                                          Function 00413F9A Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • getaddrinfo.WS2_32(00000000,00000000,00000000,00471B28,00474358,00000000,00414240,00000000,00000001), ref: 00413FBC
                                          • WSASetLastError.WS2_32(00000000), ref: 00413FC1
                                            • Part of subcall function 00413E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                            • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                            • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                            • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                            • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413F27
                                            • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                            • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                            • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                          • String ID:
                                          • API String ID: 1170566393-0
                                          • Opcode ID: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                          • Instruction ID: 9c65b6197a0e8ce5e429e224625e4c370c9a1848c9e97f9a588a6d75e163472b
                                          • Opcode Fuzzy Hash: de7c912f5844d1f7c2d429620844517faabbfd26de99632591fe9930316e04d8
                                          • Instruction Fuzzy Hash: 4ED05B326406216FB310575D6D01FFBB5DCDFA67617150077F408D7110D6945D82C3AD
                                          Function 00446AFF Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AllocateHeap
                                          • String ID:
                                          • API String ID: 1279760036-0
                                          • Opcode ID: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                          • Instruction ID: 23017b4f7b15ec8d1e6c8205d578d5100ba2a3a3bb6c043e3f5ab96588fe2cc9
                                          • Opcode Fuzzy Hash: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                          • Instruction Fuzzy Hash: 16E0E5312002B556FB202A6A9C05F5B7A88DB437A4F160133AC09D62D0CF5CEC4181AF
                                          Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Startup
                                          • String ID:
                                          • API String ID: 724789610-0
                                          • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                          • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                                          • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                          • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                                          Function 0042610E Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: send
                                          • String ID:
                                          • API String ID: 2809346765-0
                                          • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                          • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                                          • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                          • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36

                                          Non-executed Functions

                                          Function 00406F06 Relevance: 48.1, APIs: 10, Strings: 17, Instructions: 849filesleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetEvent.KERNEL32(?,?), ref: 00406F28
                                          • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                          • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                            • Part of subcall function 0041B42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0, W), ref: 0041B489
                                            • Part of subcall function 0041B42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0, W), ref: 0041B4BB
                                            • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0, W), ref: 0041B50C
                                            • Part of subcall function 0041B42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0, W), ref: 0041B561
                                            • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0, W), ref: 0041B568
                                            • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                            • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                            • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                            • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                            • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                            • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000330,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                            • Part of subcall function 00404468: SetEvent.KERNEL32(00000330,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                          • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                          • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                          • DeleteFileA.KERNEL32(?), ref: 004078CC
                                            • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                            • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                            • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                          • Sleep.KERNEL32(000007D0), ref: 00407976
                                          • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                            • Part of subcall function 0041BB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                          • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$TTF$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                          • API String ID: 2918587301-184849705
                                          • Opcode ID: 19481c044733afb546c4006e97ce6a562666d24dbef10c582627cce046f80287
                                          • Instruction ID: 8a4068a2e00c67808ff4e441dc576a613f01372a1abbdcb91e63f440e0dcd641
                                          • Opcode Fuzzy Hash: 19481c044733afb546c4006e97ce6a562666d24dbef10c582627cce046f80287
                                          • Instruction Fuzzy Hash: 60429371A043005BC614F776C8979AE77A99F90718F40493FF946731E2EE3CAA09C69B
                                          Function 00405042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __Init_thread_footer.LIBCMT ref: 0040508E
                                            • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                            • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                            • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                          • __Init_thread_footer.LIBCMT ref: 004050CB
                                          • CreatePipe.KERNEL32(00475CEC,00475CD4,00475BF8,00000000,0046556C,00000000), ref: 0040515E
                                          • CreatePipe.KERNEL32(00475CD8,00475CF4,00475BF8,00000000), ref: 00405174
                                          • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C08,00475CDC), ref: 004051E7
                                            • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                            • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                          • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                          • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                          • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                            • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                          • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                          • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                          • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                          • CloseHandle.KERNEL32 ref: 004053CD
                                          • CloseHandle.KERNEL32 ref: 004053D5
                                          • CloseHandle.KERNEL32 ref: 004053E7
                                          • CloseHandle.KERNEL32 ref: 004053EF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                          • String ID: P\G$P\G$P\G$P\G$P\G$SystemDrive$cmd.exe
                                          • API String ID: 3815868655-81343324
                                          • Opcode ID: 3962288f67b6343dc351fcf9cfefafb790a27fc5d456e23b5c61f5133e29afc6
                                          • Instruction ID: b18bac6d60c4c725a58799f80733fb47b3e4e6a61b1262bf76379e9ec18ff918
                                          • Opcode Fuzzy Hash: 3962288f67b6343dc351fcf9cfefafb790a27fc5d456e23b5c61f5133e29afc6
                                          • Instruction Fuzzy Hash: A691E5716007056FD705BB65AC41A6F37A8EB80348F50403FF94ABA1E2EEBC9C448B6D
                                          Function 00410F36 Relevance: 37.0, APIs: 7, Strings: 14, Instructions: 238threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                            • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                            • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                            • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                          • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                          • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                            • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                            • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?, W), ref: 004124F5
                                            • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                          • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                          • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                          • String ID: W$0DG$Remcos restarted by watchdog!$TTF$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                          • API String ID: 65172268-487889913
                                          • Opcode ID: 51674d9ef77ab3affcb4b811ad4559765d13db7ea621b316b6720b079fd226d4
                                          • Instruction ID: 2ec41641ff7d981187ed77e29e7d519fc89a207972baa733902a05010441332b
                                          • Opcode Fuzzy Hash: 51674d9ef77ab3affcb4b811ad4559765d13db7ea621b316b6720b079fd226d4
                                          • Instruction Fuzzy Hash: 97719E3160420157C614FB32D8579AE77A8AED4718F40053FF582A21F2EF7CAA49869F
                                          Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                          • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                          • FindClose.KERNEL32(00000000), ref: 0040B517
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$CloseFile$FirstNext
                                          • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                          • API String ID: 1164774033-3681987949
                                          • Opcode ID: 8a573f4cde42bb8974b55a1bb9849f05b01946ec243df485f40a07b19650f4e4
                                          • Instruction ID: 89bba1744b34cafda07904381260291e44814ca984bf7dbd554ee600cd7873bd
                                          • Opcode Fuzzy Hash: 8a573f4cde42bb8974b55a1bb9849f05b01946ec243df485f40a07b19650f4e4
                                          • Instruction Fuzzy Hash: 4D512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                          Function 0040E219 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 212processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                          • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                          • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                            • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                            • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                            • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                          • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                          • String ID: W$C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                          • API String ID: 726551946-3168291952
                                          • Opcode ID: c6b8a8b98bbd4d63e6190979d81124dee66bc740cd9cc34f4ffc17523aed10bc
                                          • Instruction ID: ae31f71cb8b9f969ca9e83e5ca698076ed3bac053ed440982de07d1dc4d90588
                                          • Opcode Fuzzy Hash: c6b8a8b98bbd4d63e6190979d81124dee66bc740cd9cc34f4ffc17523aed10bc
                                          • Instruction Fuzzy Hash: ED7172311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A959CA9A
                                          Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                          • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                          • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                          • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                          • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$Close$File$FirstNext
                                          • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                          • API String ID: 3527384056-432212279
                                          • Opcode ID: e3298efea2014f122d9e4da4ca7a52805c3aaa742dc7125d16785d6f153ddc68
                                          • Instruction ID: 41d59f58487c11b5b23c2ebc8e3123b77d6604a8f5f59a85184e8f88ff1ca84c
                                          • Opcode Fuzzy Hash: e3298efea2014f122d9e4da4ca7a52805c3aaa742dc7125d16785d6f153ddc68
                                          • Instruction Fuzzy Hash: 65413A319042196ACB14F7A1EC569EE7768EE21318F50017FF801B31E2EF399A458A9E
                                          Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenClipboard.USER32 ref: 004159C7
                                          • EmptyClipboard.USER32 ref: 004159D5
                                          • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                          • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                          • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                          • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                          • CloseClipboard.USER32 ref: 00415A5A
                                          • OpenClipboard.USER32 ref: 00415A61
                                          • GetClipboardData.USER32(0000000D), ref: 00415A71
                                          • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                          • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                          • CloseClipboard.USER32 ref: 00415A89
                                            • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                          • String ID:
                                          • API String ID: 3520204547-0
                                          • Opcode ID: aec1d1bf9f744aaed2c9463717a263a6e62bb038cffa3167de4c184d82277f83
                                          • Instruction ID: b8e523df9fc7c7245f85f50a48877f09888e29e8b5459684195c928b546a98bf
                                          • Opcode Fuzzy Hash: aec1d1bf9f744aaed2c9463717a263a6e62bb038cffa3167de4c184d82277f83
                                          • Instruction Fuzzy Hash: E02183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                          Function 0041B42F Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 105fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0, W), ref: 0041B489
                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0, W), ref: 0041B4BB
                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0, W), ref: 0041B529
                                          • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0, W), ref: 0041B536
                                            • Part of subcall function 0041B42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0, W), ref: 0041B50C
                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0, W), ref: 0041B561
                                          • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0, W), ref: 0041B568
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,004742E0, W), ref: 0041B570
                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0, W), ref: 0041B583
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                          • String ID: W
                                          • API String ID: 2341273852-3818464504
                                          • Opcode ID: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                          • Instruction ID: e81c2b0307560c21eb772b723951cbad4d8c7a866ea933437d0d5d39764c0eb1
                                          • Opcode Fuzzy Hash: e3c00313fe9feb441b7390d1c72d337a5a5a4ab260ce0f05f37d8840b2d05d0a
                                          • Instruction Fuzzy Hash: 0031627184921CAACB20D7B1AC89ADA77BCAF04309F4405EBF505D3181EB799AC5CE69
                                          Function 00418754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: 0$1$2$3$4$5$6$7
                                          • API String ID: 0-3177665633
                                          • Opcode ID: f8af07fa47c58c456c71caf90e41cb852091bf7478b48f1c56509a0c55dbd029
                                          • Instruction ID: 2879f211a781d1662389055333b9a248a4bc7621c6500268a6892da51c348380
                                          • Opcode Fuzzy Hash: f8af07fa47c58c456c71caf90e41cb852091bf7478b48f1c56509a0c55dbd029
                                          • Instruction Fuzzy Hash: CC61A370508301AEDB00EF21D862FEA77E4AF85754F40485EFA91672E1DF789A48C797
                                          Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                          • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                          • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                          • GetKeyState.USER32(00000010), ref: 00409B5C
                                          • GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                          • ToUnicodeEx.USER32(0047414C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
                                          • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                          • ToUnicodeEx.USER32(0047414C,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                          • String ID: 8[G
                                          • API String ID: 1888522110-1691237782
                                          • Opcode ID: 925a5eb4e75251b1def6021025d6fe2bb9c2de734200d7c4e5adce8016dcfecb
                                          • Instruction ID: f24a8317de74a0bbad47f265c67a45df51816e9018bfad09e00086f3728f1c27
                                          • Opcode Fuzzy Hash: 925a5eb4e75251b1def6021025d6fe2bb9c2de734200d7c4e5adce8016dcfecb
                                          • Instruction Fuzzy Hash: EE318172508309AFD700DF90DC85FDBB7ECEB48715F00083ABA45961A1D6B5E948DB96
                                          Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                          Download Yara Rule
                                          APIs
                                          • _wcslen.LIBCMT ref: 00406788
                                          • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Object_wcslen
                                          • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                          • API String ID: 240030777-3166923314
                                          • Opcode ID: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                          • Instruction ID: dba8c49f7cecafb8ed31af17d29d910bb03d3c12ecd117c8e18c4d6c9c114880
                                          • Opcode Fuzzy Hash: f680b05b7da9254b8b2e62aef58334289a0f3b659c75efd963e3361adaa2c028
                                          • Instruction Fuzzy Hash: 811170B2901118AEDB10FAA5884AA9EB7BCDB48714F55007FE905F3281E7789A148A7D
                                          Function 004198C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,004748F8), ref: 004198D8
                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419927
                                          • GetLastError.KERNEL32 ref: 00419935
                                          • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041996D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                          • String ID:
                                          • API String ID: 3587775597-0
                                          • Opcode ID: 3890bdb0540eb0e670ed260973a12fdff1d758257f1b422d234bde2ff04c0bf6
                                          • Instruction ID: 5304d2aa3016a1bb8b693e548c532b43deb082133906afc562c92feca393f19d
                                          • Opcode Fuzzy Hash: 3890bdb0540eb0e670ed260973a12fdff1d758257f1b422d234bde2ff04c0bf6
                                          • Instruction Fuzzy Hash: 37812F711083049BC614FB21DC959AFB7A8BF94718F50493EF582521E2EF78AA05CB9A
                                          Function 004513B7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                          • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514C3
                                          • IsValidCodePage.KERNEL32(00000000), ref: 0045151E
                                          • IsValidLocale.KERNEL32(?,00000001), ref: 0045152D
                                          • GetLocaleInfoW.KERNEL32(?,00001001,<D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 00451575
                                          • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 00451594
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                          • String ID: <D$<D$<D
                                          • API String ID: 745075371-3495170934
                                          • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                          • Instruction ID: fdda48fcf8ef828b158f806230e01f9d82b9b72a6df542884d0e4dc3e0683d2c
                                          • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                          • Instruction Fuzzy Hash: 5A51D571900205ABEF10EFA5CC40BBF73B8AF05702F14056BFD11EB262E7789A488769
                                          Function 00418C69 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(00000000,?), ref: 00418EBF
                                          • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F8B
                                            • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$Find$CreateFirstNext
                                          • String ID: @CG$XCG$`HG$`HG$>G
                                          • API String ID: 341183262-3780268858
                                          • Opcode ID: 72ff8082b0e43faad44e135ae875fce9f87f9654d684cf5580552fa3818e263a
                                          • Instruction ID: 861c71bda04042c44626cba1538e35c757a91b728f0af2478fb4c1063bb13cc5
                                          • Opcode Fuzzy Hash: 72ff8082b0e43faad44e135ae875fce9f87f9654d684cf5580552fa3818e263a
                                          • Instruction Fuzzy Hash: B08141315042405BC314FB62C892EEFB3A5AFD1718F50493FF946671E2EF389A49C69A
                                          Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                          • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                            • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                          • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                          • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressCloseCreateLibraryLoadProcsend
                                          • String ID: SHDeleteKeyW$Shlwapi.dll
                                          • API String ID: 2127411465-314212984
                                          • Opcode ID: d04076544b552dc671c3b30d9e429cff8967424bae89a0236bf5949f115eccc7
                                          • Instruction ID: cc67afc49b78d61a2372e1362dfc4f5d4a672f2d1b5b468e2109e7b1f18a6fb5
                                          • Opcode Fuzzy Hash: d04076544b552dc671c3b30d9e429cff8967424bae89a0236bf5949f115eccc7
                                          • Instruction Fuzzy Hash: 4FB1B671A043006BC614BA76CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                          Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                          • GetLastError.KERNEL32 ref: 0040B261
                                          Strings
                                          • UserProfile, xrefs: 0040B227
                                          • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                          • [Chrome StoredLogins not found], xrefs: 0040B27B
                                          • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteErrorFileLast
                                          • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                          • API String ID: 2018770650-1062637481
                                          • Opcode ID: 4cd32df34f682fcf287b1bbdb8b1e04e90f5886a02fc20745afa94da3ae3815b
                                          • Instruction ID: 236ee74dc97b4bdf00ef4875347123a6b81b21ae8e03a402b83ae8c28ff1bd46
                                          • Opcode Fuzzy Hash: 4cd32df34f682fcf287b1bbdb8b1e04e90f5886a02fc20745afa94da3ae3815b
                                          • Instruction Fuzzy Hash: 3001A23168410597CA0477B5ED6F8AE3624E921704F50017FF802731E2FF3A9A0586DE
                                          Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                          • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                          • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                          • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                          • GetLastError.KERNEL32 ref: 00416B02
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                          • String ID: SeShutdownPrivilege
                                          • API String ID: 3534403312-3733053543
                                          • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                          • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                          • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                          • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                          Function 00452F00 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __floor_pentium4
                                          • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                          • API String ID: 4168288129-2761157908
                                          • Opcode ID: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                          • Instruction ID: 57cc16b57fb9b80973019f24a4c29afa226e887048a240d5689d112d8919aadd
                                          • Opcode Fuzzy Hash: 66bc95b00190c33de1dc88885a8d3c2e2540cf288971a00217ef3550ead5f7a6
                                          • Instruction Fuzzy Hash: 08C26F72D046288FDB25CE28DD407EAB7B5EB44346F1441EBD84DE7242E778AE898F44
                                          Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 004089AE
                                            • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                            • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                          • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                            • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000330,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                            • Part of subcall function 00404468: SetEvent.KERNEL32(00000330,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                            • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                            • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                            • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                            • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                          • String ID:
                                          • API String ID: 4043647387-0
                                          • Opcode ID: f69b92a23d02f21f0d56daa60a68a1cd7ec2c2bd959d7a231ee33c7a1f80003d
                                          • Instruction ID: d7705bc86650fd6632c5f082d335fbcd32bd3fe840799e2454ee74f5ab9ae988
                                          • Opcode Fuzzy Hash: f69b92a23d02f21f0d56daa60a68a1cd7ec2c2bd959d7a231ee33c7a1f80003d
                                          • Instruction Fuzzy Hash: 11A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF546B71D2EF385E498B98
                                          Function 00419BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041981A,00000000,00000000), ref: 00419BCD
                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041981A,00000000,00000000), ref: 00419BE2
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419BEF
                                          • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041981A,00000000,00000000), ref: 00419BFA
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0C
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,0041981A,00000000,00000000), ref: 00419C0F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ManagerStart
                                          • String ID:
                                          • API String ID: 276877138-0
                                          • Opcode ID: 6d0f589b7f4ed5c193fffaa70fef351a53496163331b96a9b3d3840ad54bf661
                                          • Instruction ID: 9ab78235182221d9a13884b701025ebbd4d22640777282bd149d85cf0e5c5631
                                          • Opcode Fuzzy Hash: 6d0f589b7f4ed5c193fffaa70fef351a53496163331b96a9b3d3840ad54bf661
                                          • Instruction Fuzzy Hash: 46F0E971404314AFD2115B31FC88DBF2AACEF85BA2B00043AF54193191CF68CD4595B9
                                          Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                            • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                            • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                            • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                            • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                          • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                          • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                          • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                          • String ID: PowrProf.dll$SetSuspendState
                                          • API String ID: 1589313981-1420736420
                                          • Opcode ID: 24b9d5b97b4806bc27070f5e9ed0cfc4c326b2396989710b1809eee22d884dc4
                                          • Instruction ID: 94bd0be5b4d635cf3270abd21b93e0cba208aed3fdadf5553bbce7524c8ebf13
                                          • Opcode Fuzzy Hash: 24b9d5b97b4806bc27070f5e9ed0cfc4c326b2396989710b1809eee22d884dc4
                                          • Instruction Fuzzy Hash: 7D2150B0604741E6CA14F7B19856AEF225A9F80748F40883FB402A72D2EF7CDC89865E
                                          Function 004511E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 0045127C
                                          • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451502,?,00000000), ref: 004512A5
                                          • GetACP.KERNEL32(?,?,00451502,?,00000000), ref: 004512BA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID: ACP$OCP
                                          • API String ID: 2299586839-711371036
                                          • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                          • Instruction ID: bcb6c1b5649eca6e102b6d6ca9fa22aa61ab34f591545d84575f60c76f210f03
                                          • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                          • Instruction Fuzzy Hash: 50212722600100A6D7348F54D900BAB73A6AB40B66F1645E6FD09E7322F736DD49C799
                                          Function 0041A63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                          Download Yara Rule
                                          APIs
                                          • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A650
                                          • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A664
                                          • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A66B
                                          • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67A
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Resource$FindLoadLockSizeof
                                          • String ID: SETTINGS
                                          • API String ID: 3473537107-594951305
                                          • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                          • Instruction ID: 83a829ee02157d331b98a48cb758db5ec39b6d120b3a3db205f860a33549a403
                                          • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                          • Instruction Fuzzy Hash: 3EE01A3A200710ABCB211BA5BC8CD477E39E7867633140036F90582331DA358850CA59
                                          Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00407A91
                                          • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                          • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                          • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Find$File$CloseFirstH_prologNext
                                          • String ID:
                                          • API String ID: 1157919129-0
                                          • Opcode ID: f8d6f61274b0bae339bae7b451de80ad719001fbde1d2d56a94fc198990b07ef
                                          • Instruction ID: c296e4c637b16ec180f1d25cf2666c4e6f2336455dd814d501b84ef2841b6e91
                                          • Opcode Fuzzy Hash: f8d6f61274b0bae339bae7b451de80ad719001fbde1d2d56a94fc198990b07ef
                                          • Instruction Fuzzy Hash: 485173329041085ACB14FB65DD969DD7778AF50318F50417EB806B31E2EF38AB498B99
                                          Function 0044800F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                          • _free.LIBCMT ref: 00448067
                                            • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                            • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                          • _free.LIBCMT ref: 00448233
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                          • String ID:
                                          • API String ID: 1286116820-0
                                          • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                          • Instruction ID: adcac59616ce0bf4d9b6f5e4feac4fc1c4b096f081e8a0f87c9a15d47e4c4f65
                                          • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                          • Instruction Fuzzy Hash: 13510B719002099BE714DF69DC819AFB7BCEF41354F10456FE454A32A1EF389E46CB58
                                          Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                          • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                          Strings
                                          • open, xrefs: 0040622E
                                          • C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, xrefs: 0040627F, 004063A7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DownloadExecuteFileShell
                                          • String ID: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe$open
                                          • API String ID: 2825088817-1199270383
                                          • Opcode ID: 5632cbe99eb1503b8ea3c35f5df804dfa2a052d1d0e7740a9250f620084231d3
                                          • Instruction ID: f68f5450864a8ef507c8d3860f756bd811b48be2db930e76b40a644c5c1bb7bc
                                          • Opcode Fuzzy Hash: 5632cbe99eb1503b8ea3c35f5df804dfa2a052d1d0e7740a9250f620084231d3
                                          • Instruction Fuzzy Hash: 0761A33160434067CA14FA76C8569BE77A69F81718F00493FBC46772D6EF3C9A05C69B
                                          Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                          • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                            • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileFind$FirstNextsend
                                          • String ID: x@G$x@G
                                          • API String ID: 4113138495-3390264752
                                          • Opcode ID: b36d87b323ec5cc269eb522c3cc31d9de89321549abc1b076fcc759a7cbe0d3a
                                          • Instruction ID: 9df0c8526107c53e8273efc1e688d8f669138e67c86485f4ac558c26d22f9560
                                          • Opcode Fuzzy Hash: b36d87b323ec5cc269eb522c3cc31d9de89321549abc1b076fcc759a7cbe0d3a
                                          • Instruction Fuzzy Hash: B42147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                          Function 0041BB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                          Download Yara Rule
                                          APIs
                                          • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC6C
                                            • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                            • Part of subcall function 004126D2: RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000, W,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                            • Part of subcall function 004126D2: RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseCreateInfoParametersSystemValue
                                          • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                          • API String ID: 4127273184-3576401099
                                          • Opcode ID: 3d360fdf2e78990b0619b3c2804760803c56fcbcebbcac8b827f4f8c51bc1c9b
                                          • Instruction ID: a6c166168c7895b99543370299e99232025f4d6daba66cbb636fef562e17b9dc
                                          • Opcode Fuzzy Hash: 3d360fdf2e78990b0619b3c2804760803c56fcbcebbcac8b827f4f8c51bc1c9b
                                          • Instruction Fuzzy Hash: 06112432B8060433D514303A4E6FBAE1806D356B60FA4415FF6026A6DAFA9E5AE103DF
                                          Function 00450A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                          • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443CF3,?,?,?,?,?,?,00000004), ref: 00450B61
                                          • _wcschr.LIBVCRUNTIME ref: 00450BF1
                                          • _wcschr.LIBVCRUNTIME ref: 00450BFF
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443CF3,00000000,00443E13), ref: 00450CA2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                          • String ID:
                                          • API String ID: 4212172061-0
                                          • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                          • Instruction ID: a02e79dc60b90d06ce6287b0e519d5a2a37574338541b46fb9e412c2f7ec0900
                                          • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                          • Instruction Fuzzy Hash: D7613B79600306AAD729AB75CC82AAB73ACEF05316F14052FFD05D7243E778E909C768
                                          Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 00408DAC
                                          • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                          • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileFind$FirstH_prologNext
                                          • String ID:
                                          • API String ID: 301083792-0
                                          • Opcode ID: 0e4e9ac495abe8b57423f5ed93f9f96552df352c1a46bf6d3c996a5919a60c28
                                          • Instruction ID: 60446431aa0b45b5fc099c057f6d50f3e7887136e12703af2d86415be67689ac
                                          • Opcode Fuzzy Hash: 0e4e9ac495abe8b57423f5ed93f9f96552df352c1a46bf6d3c996a5919a60c28
                                          • Instruction Fuzzy Hash: 357140328001099BCB15EBA1DC919EE7778AF54318F10427FE856B71E2EF386E45CB98
                                          Function 00450E6A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450EBE
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F0F
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FCF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorInfoLastLocale$_free$_abort
                                          • String ID:
                                          • API String ID: 2829624132-0
                                          • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                          • Instruction ID: e92eb603d23812efeda5bde14236c6fbce748c008cf001f3fb8de25b7fcb8669
                                          • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                          • Instruction Fuzzy Hash: AC61D3365002079FDB289F24CD82BBB77A8EF04706F1041BBED05C6696E778D989DB58
                                          Function 0043A65D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 0043A755
                                          • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 0043A75F
                                          • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 0043A76C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                          • String ID:
                                          • API String ID: 3906539128-0
                                          • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                          • Instruction ID: 15fc2c217458336097e8e19d69e2940e7c5a4b77666d4e23b7e272f62fea865b
                                          • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                          • Instruction Fuzzy Hash: 2D31D47490121CABCB21DF64D98979DBBB8BF08310F5052EAE81CA7251E7349F81CF49
                                          Function 00442554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 00442575
                                          • TerminateProcess.KERNEL32(00000000,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 0044257C
                                          • ExitProcess.KERNEL32 ref: 0044258E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CurrentExitTerminate
                                          • String ID:
                                          • API String ID: 1703294689-0
                                          • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                          • Instruction ID: 6e58600c80f72e94ca833af3256d2da28fe7ef7edb4b61bff2e48710a34f1207
                                          • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                          • Instruction Fuzzy Hash: 65E08C31004648BFDF016F14EE18A893F29EF10346F408475F80A8A632CFB9DE92CB88
                                          Function 0041ACC1 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150C3,00000000), ref: 0041ACCC
                                          • NtSuspendProcess.NTDLL(00000000), ref: 0041ACD9
                                          • CloseHandle.KERNEL32(00000000,?,?,004150C3,00000000), ref: 0041ACE2
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CloseHandleOpenSuspend
                                          • String ID:
                                          • API String ID: 1999457699-0
                                          • Opcode ID: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                          • Instruction ID: f0940f0a464cb9da12e036c8bcda16370f3965740af83b573a45ae51f9acba0f
                                          • Opcode Fuzzy Hash: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                          • Instruction Fuzzy Hash: E7D0A733605131638221176A7C0CC87EE6CDFC1EB37024136F404C3220DA30C84186F4
                                          Function 0041ACED Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150E8,00000000), ref: 0041ACF8
                                          • NtResumeProcess.NTDLL(00000000), ref: 0041AD05
                                          • CloseHandle.KERNEL32(00000000,?,?,004150E8,00000000), ref: 0041AD0E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CloseHandleOpenResume
                                          • String ID:
                                          • API String ID: 3614150671-0
                                          • Opcode ID: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                          • Instruction ID: b64f47c6af987b25b68fadd97e6a7e629856a7b738c344dffca8a71896aa998e
                                          • Opcode Fuzzy Hash: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                          • Instruction Fuzzy Hash: DFD0A733504132638220176A7C0CC87EDADDFC5EB37024236F404C3621DA34C841C6F4
                                          Function 0044D5E9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: .
                                          • API String ID: 0-248832578
                                          • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                          • Instruction ID: db76f937e81630575b2700384d205b0ac401e8f874fa32e43cac1aabc581782c
                                          • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                          • Instruction Fuzzy Hash: CB310471900209AFEB249E79CC84EEB7BBDDB86318F1101AEF91897251E6389D458B64
                                          Function 00450D42 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                          • EnumSystemLocalesW.KERNEL32(00450E6A,00000001,00000000,?,<D,?,00451497,00000000,?,?,?), ref: 00450DB4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                          • String ID: <D
                                          • API String ID: 1084509184-3866323178
                                          • Opcode ID: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                          • Instruction ID: b1cdb4a87285138648e71eec5b58018a028c0508cbf90fbfa4a5e64eba390ba2
                                          • Opcode Fuzzy Hash: 99518e0148a584110f8bf4689e731d5402797eff59b4f7bbd4ab81c0230e503e
                                          • Instruction Fuzzy Hash: 9C11293B2007055FDB189F79D8916BAB7A1FF8031AB14442DE94647741D375B846C744
                                          Function 00450DDD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                          • EnumSystemLocalesW.KERNEL32(004510BA,00000001,?,?,<D,?,0045145B,<D,?,?,?,?,?,00443CEC,?,?), ref: 00450E29
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                          • String ID: <D
                                          • API String ID: 1084509184-3866323178
                                          • Opcode ID: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                          • Instruction ID: d323619e2976bd52c5edaa4f55efd93dda7e8b303aa23e489220a9c0c916f3e4
                                          • Opcode Fuzzy Hash: e0c48b72e2c1269c4cdc51d0e461bd75820cdd7fcb75359b91497d16354a5322
                                          • Instruction Fuzzy Hash: 5BF0223A2003045FDB145F3AD882AAB7B95EF81729B25842EFD058B782D275AC42C644
                                          Function 00447597 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475EA
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InfoLocale
                                          • String ID: GetLocaleInfoEx
                                          • API String ID: 2299586839-2904428671
                                          • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                          • Instruction ID: 80a81796b135a3e0eaabc3ca7fb48afb6b687e063e78a0117ef0368584b3b56e
                                          • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                          • Instruction Fuzzy Hash: 82F0F031A44308BBDB11AF61EC06F6E7B25EF04712F00416AFC046A2A2CB359E11969E
                                          Function 00440E20 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                          • Instruction ID: cffdc6bb8eb20f5336ace8b102e865ec7dcfb2cf624fb46ac032ba80a60d6a90
                                          • Opcode Fuzzy Hash: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                          • Instruction Fuzzy Hash: 8A024C71E002199BEF14CFA9C9806AEBBF1FF88314F25826AD919E7350D735AD45CB84
                                          Function 004520D2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004520CD,?,?,00000008,?,?,00455412,00000000), ref: 004522FF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExceptionRaise
                                          • String ID:
                                          • API String ID: 3997070919-0
                                          • Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                          • Instruction ID: 47108b7899804ebb5d40a9255b8f0d240b678f8396b787326aeb691ef157153f
                                          • Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                          • Instruction Fuzzy Hash: C0B18F351106089FD715CF28C586B567BE0FF06325F29869AEC99CF3A2C379E986CB44
                                          Function 00432A49 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: 0
                                          • API String ID: 0-4108050209
                                          • Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                          • Instruction ID: f72c02501a8b687524d4eed2bba9748ce27a8789a4669d3223b659a6f876a8a8
                                          • Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                          • Instruction Fuzzy Hash: 8002B3727083004BD714DF39D95272EF3E2AFCC758F15492EF499AB391DA78A8058A4A
                                          Function 004510BA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446F1E
                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                          • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045110E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$_free$InfoLocale_abort
                                          • String ID:
                                          • API String ID: 1663032902-0
                                          • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                          • Instruction ID: 725ff80feb3504da526bb6f16fdbe645276de1ecdd37ac2f1e7666d8a95350e0
                                          • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                          • Instruction Fuzzy Hash: 2D21B332500606ABDB249A25DC46B7B73A8EB09316F1041BBFE01C6252EB79DD48CB99
                                          Function 004512EA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                          • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451088,00000000,00000000,?), ref: 00451316
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$InfoLocale_abort_free
                                          • String ID:
                                          • API String ID: 2692324296-0
                                          • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                          • Instruction ID: 964a9937ac5a020d26487979adcc3deadbef587b10f76395f6381cc8137ce6dd
                                          • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                          • Instruction Fuzzy Hash: 10F07D32500111BBEB286A25CC16BFF7758EB00716F15046BEC06A3651FA38FD49C6D4
                                          Function 004470AE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00444ACC: EnterCriticalSection.KERNEL32(-00471558,?,0044225B,00000000,0046DAC0,0000000C,00442216,0000000A,?,?,00448739,0000000A,?,00446F74,00000001,00000364), ref: 00444ADB
                                          • EnumSystemLocalesW.KERNEL32(00447068,00000001,0046DC48,0000000C), ref: 004470E6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalEnterEnumLocalesSectionSystem
                                          • String ID:
                                          • API String ID: 1272433827-0
                                          • Opcode ID: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                          • Instruction ID: 877f7ae5c491a2fbf36f534f7b8138893028b6a81f24f5c3744eb9f6a7677366
                                          • Opcode Fuzzy Hash: 294c88a1965c44704c377604ff0a5917817e93c6b6b84f866ad5a3c5a2dedf6a
                                          • Instruction Fuzzy Hash: F6F04932A10200EFEB04EF68E806B4D77B0EB44725F10816AF414DB2E2DB7889818B49
                                          Function 00450CF7 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                          • EnumSystemLocalesW.KERNEL32(00450C4E,00000001,?,?,?,004514B9,<D,?,?,?,?,?,00443CEC,?,?,?), ref: 00450D2E
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                          • String ID:
                                          • API String ID: 1084509184-0
                                          • Opcode ID: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                          • Instruction ID: ec648f77c102ae861fabd43d141f98194b25f4d0b1f390d0839222eb7000fb0b
                                          • Opcode Fuzzy Hash: 8c2bccbfd0fc102635c006ca31f830fd57f68f19690e6c985b1f52cdbb333b18
                                          • Instruction Fuzzy Hash: CBF05C3D30020557CB159F35D81576B7F94EFC2711B07405AFE098B381C239D846C754
                                          Function 00433CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                          Download Yara Rule
                                          APIs
                                          • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,004339B1), ref: 00433CDC
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExceptionFilterUnhandled
                                          • String ID:
                                          • API String ID: 3192549508-0
                                          • Opcode ID: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                          • Instruction ID: 83953e3dca8a62111c248ad4478ddd9c1373f985a30770e5fc8846644fe13ce9
                                          • Opcode Fuzzy Hash: 3670727f3e8651977646328ecd403d2a1b3c6ba49dd5bfb528ab2007e995f695
                                          • Instruction Fuzzy Hash:
                                          Function 0043CE3B Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: BG3i@
                                          • API String ID: 0-2407888476
                                          • Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                          • Instruction ID: a817909710d0090f483bb13cdd1d1ee80d6dfae79024daed79820ace932836b2
                                          • Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                          • Instruction Fuzzy Hash: E361777160070966DA385A2858D6BBF6396EB0DB04F10391BE943FF3C1D61DAD43874E
                                          Function 0043CC0C Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: 0
                                          • API String ID: 0-4108050209
                                          • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                          • Instruction ID: e47b97b21f836cd03f295ee90de6feb37cae4df0254a032430ab3cefd666e269
                                          • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                          • Instruction Fuzzy Hash: C851AC3160070457DF388A6985DA7BF6B959B0E700F18352FE48AFB382C60DED02979E
                                          Function 00426E73 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: @
                                          • API String ID: 0-2766056989
                                          • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                          • Instruction ID: 4dd25ef8aece06dcbd44762d080e1d81d96ea4c89eb3931c7e752ffea448aa68
                                          • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                          • Instruction Fuzzy Hash: 99417576A083158FC314CE29D18021BFBE1FBC8300F568A2EF99693350D679E980CB86
                                          Function 00437150 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: >G
                                          • API String ID: 0-1296849874
                                          • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                          • Instruction ID: d77b428d8deff70f46db9a150fef47e19855adfe796a652afc1ecdf390514463
                                          • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                          • Instruction Fuzzy Hash: D1110BF724C18143EE74862DD8B46B7A795EACE320F2C636BD0C14B758D52A99459908
                                          Function 0044E92E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: HeapProcess
                                          • String ID:
                                          • API String ID: 54951025-0
                                          • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                          • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                          • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                          • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                          Function 0044C739 Relevance: .6, Instructions: 637COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                          • Instruction ID: 1fbb2d6a6e610910e1865e113166bba559d0ad1400e2c5ed2b94208389d41108
                                          • Opcode Fuzzy Hash: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                          • Instruction Fuzzy Hash: 4E323621D2AF014DE7639634C862336A649AFB73C5F19D737F81AB5AA6EB2CC4C34105
                                          Function 0041E5DF Relevance: .6, Instructions: 606COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                          • Instruction ID: 2a34495ee4f42e5442afe8381c33b9994a027dd0bc8bc0cc3fe6fc4803c66e78
                                          • Opcode Fuzzy Hash: f36ab663cb4d239ef1e0a5f108238eabc662f1d3d061ede5d5b4150ec9228ddd
                                          • Instruction Fuzzy Hash: 9732C1796087469BD714DF2AC4807ABB7E1BF84304F444A2EFC958B381D778DD858B8A
                                          Function 004267CB Relevance: .4, Instructions: 437COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                          • Instruction ID: 022d1978040d43b7ea9bbfc0a41ffb8b00617051ae00cac38c3f572af68edcce
                                          • Opcode Fuzzy Hash: 51f8d9063bc82676a5307432183369734bf664b3393a643c02daa012ce37ec01
                                          • Instruction Fuzzy Hash: 0D028F717046518FD318CF2EE880536B7E1AF8E301B46863EE585C7395EB74E922CB95
                                          Function 00426254 Relevance: .4, Instructions: 377COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                          • Instruction ID: dd4ce2a6fae4266494c2f053a510589cf36d02151b1693af83bcfdcd1697f2cb
                                          • Opcode Fuzzy Hash: 74e588301cf54894560b91a60f0e3518b6bdc06a9ff6f3e52f80e31c4ce3b340
                                          • Instruction Fuzzy Hash: 55F13B716142548FC314DF1DE89187BB3E0EB8A301B460A2EF5C2D7392DB78E91ADB56
                                          Function 00431377 Relevance: .4, Instructions: 371COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                          • Instruction ID: a134442df30985c3d9ded0ed06b90328dea8838589cb671b1bd0994677c35241
                                          • Opcode Fuzzy Hash: 7363a9fedaeb76f2bf31ad894624b0994c444190ff40f401d8ef5418a52334f3
                                          • Instruction Fuzzy Hash: 60D1A171A083158BC721DE29C88096FB7E4FFD8354F446A2EF88597361EB38DD058B86
                                          Function 0041D071 Relevance: .3, Instructions: 276COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                          • Instruction ID: 86422b113df266cbb8d28aa4d41e6099a1760efb4c6ea83322c03ecd969c618c
                                          • Opcode Fuzzy Hash: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                          • Instruction Fuzzy Hash: 46B1817951429A8ACB05EF28C4913F63BA1EF6A300F4851B9EC9CCF757D3399506EB24
                                          Function 00436A8D Relevance: .3, Instructions: 254COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                          • Instruction ID: c2ccfb52f11e3b3b259396a7657262a28929e77abe156aeb413db61674ad6f9a
                                          • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                          • Instruction Fuzzy Hash: EB91C8722080A319DB2D463E847403FFFE19A563A1B1BA79FD4F2CB2C5EE18D564D624
                                          Function 00436D48 Relevance: .2, Instructions: 244COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                          • Instruction ID: 4bc7a19b78b3923bd294324807b23a5e70e392b11aa895e474023c0768c286cc
                                          • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                          • Instruction Fuzzy Hash: 1C91B6762080A35ADB2D463AC43403FFFE15A563A1B1B979FD4F2CB2C5EE18C568D624
                                          Function 004367C6 Relevance: .2, Instructions: 240COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                          • Instruction ID: 8cd81e8b6c8cb135a2d00aee0b4681899237c427d703fcd1ed6b13232f465ad6
                                          • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                          • Instruction Fuzzy Hash: 439195722090A35ADB2D463D843403FFFE15E5A3A1B1B979FD4F2CB2C5EE28C5649624
                                          Function 0043D098 Relevance: .2, Instructions: 237COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                          • Instruction ID: 3f92c48b0efc6548e9d2ace3e3fdbc0fca8b075b553eb95927f683fa27391a83
                                          • Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                          • Instruction Fuzzy Hash: A4613471E0070867DE385928B896BBF23A8AB0D708F24755BE942DB381D65DDD43C24E
                                          Function 0043651C Relevance: .2, Instructions: 232COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                          • Instruction ID: b40c52ae0115b4061fe2d1036eda9829452ee7622c5651f608d151b30f65a328
                                          • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                          • Instruction Fuzzy Hash: B081C4722090A319DB2D463E843403FFFE15A563A5B1BA7AFD4F2CB2C5EE18C5649624
                                          Function 0043C9DD Relevance: .2, Instructions: 214COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                          • Instruction ID: 61f6cd4e2a94a36a6652522188f48ed2bcd63c305fdb574287b7df62abf21a4e
                                          • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                          • Instruction Fuzzy Hash: BB51677170460D9BDB34E96894E77BFA3899B0E344F18350BD882B7382D60CED02939E
                                          Function 00426FAD Relevance: .2, Instructions: 186COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                          • Instruction ID: 42e819d74c2f676ea4fb49a2469d6a41ac5eaf2d1859dcf64078451750f97267
                                          • Opcode Fuzzy Hash: 6f0963373f33ef73dbd289fc78ad1b7818d684b7f305e862658b304cf2148f24
                                          • Instruction Fuzzy Hash: 49614E32A083119FC308DF35E581A5BB7E5FFDC718F550E1EF48996151E674EA088B8A
                                          Function 00417F9F Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 324windowmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FB9
                                          • CreateCompatibleDC.GDI32(00000000), ref: 00417FC4
                                            • Part of subcall function 00418452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418482
                                          • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418045
                                          • DeleteDC.GDI32(?), ref: 0041805D
                                          • DeleteDC.GDI32(00000000), ref: 00418060
                                          • SelectObject.GDI32(00000000,00000000), ref: 0041806B
                                          • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 00418093
                                          • GetCursorInfo.USER32(?), ref: 004180B5
                                          • GetIconInfo.USER32(?,?), ref: 004180CB
                                          • DeleteObject.GDI32(?), ref: 004180FA
                                          • DeleteObject.GDI32(?), ref: 00418107
                                          • DrawIcon.USER32(00000000,?,?,?), ref: 00418114
                                          • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418144
                                          • GetObjectA.GDI32(?,00000018,?), ref: 00418173
                                          • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181BC
                                          • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181DF
                                          • GlobalAlloc.KERNEL32(00000000,?), ref: 00418248
                                          • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041826B
                                          • DeleteDC.GDI32(?), ref: 0041827F
                                          • DeleteDC.GDI32(00000000), ref: 00418282
                                          • DeleteObject.GDI32(00000000), ref: 00418285
                                          • GlobalFree.KERNEL32(00CC0020), ref: 00418290
                                          • DeleteObject.GDI32(00000000), ref: 00418344
                                          • GlobalFree.KERNEL32(?), ref: 0041834B
                                          • DeleteDC.GDI32(?), ref: 0041835B
                                          • DeleteDC.GDI32(00000000), ref: 00418366
                                          • DeleteDC.GDI32(?), ref: 00418398
                                          • DeleteDC.GDI32(00000000), ref: 0041839B
                                          • DeleteObject.GDI32(?), ref: 004183A1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
                                          • String ID: DISPLAY
                                          • API String ID: 1352755160-865373369
                                          • Opcode ID: 1713e221986eac5e09055e201b2983f957a8c2628f8d93144efb6ff1e3dc8593
                                          • Instruction ID: f05cd178694609e891ba83f5bdf02bb76ea447df34f4969275af8919d08089d1
                                          • Opcode Fuzzy Hash: 1713e221986eac5e09055e201b2983f957a8c2628f8d93144efb6ff1e3dc8593
                                          • Instruction Fuzzy Hash: 12C17C31508345AFD3209F25DC44BABBBE9FF88751F04082EF989932A1DB34E945CB5A
                                          Function 00417245 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                          • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                          • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                          • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                          • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                          • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                          • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                          • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                          • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                          • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                          • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                          • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                          • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                          • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                          • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                          • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                          • ResumeThread.KERNEL32(?), ref: 00417582
                                          • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                          • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                          • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                          • GetLastError.KERNEL32 ref: 004175C7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                          • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                          • API String ID: 4188446516-3035715614
                                          • Opcode ID: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                          • Instruction ID: f03761d26bac9a2bfb1ad98f85ac7da09ef0bd98ba300517d6d91d37beebd467
                                          • Opcode Fuzzy Hash: 42c1c999d1834e7e824fdbb4d1330a48ff0e689257c4ebc4fb7692fa9ae4ea32
                                          • Instruction Fuzzy Hash: EEA17C71508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E775E984CB6A
                                          Function 004112B5 Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 189synchronizationsleepfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateMutexA.KERNEL32(00000000,00000001,00000000, W,?,00000000), ref: 004112D4
                                          • ExitProcess.KERNEL32 ref: 0041151D
                                            • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000, W), ref: 00412679
                                            • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                            • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                            • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                          • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                          • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                          • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                            • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                            • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                            • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                          • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                          • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                          • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                          • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                            • Part of subcall function 0041B58F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5EB
                                            • Part of subcall function 0041B58F: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B5FF
                                            • Part of subcall function 0041B58F: CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B60C
                                          • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                          • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                          • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                          • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                          • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                            • Part of subcall function 0041B58F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                          • String ID: W$.exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                          • API String ID: 4250697656-1177513828
                                          • Opcode ID: a9c2a87f9ee9c69a41b24408484deaf51afa781d98e0db61e01abaa28f191d2a
                                          • Instruction ID: b1cd6038c3dd2fca16f1d1fb39a824579eeb1b45f376adef666059b0b2e54ae4
                                          • Opcode Fuzzy Hash: a9c2a87f9ee9c69a41b24408484deaf51afa781d98e0db61e01abaa28f191d2a
                                          • Instruction Fuzzy Hash: D751B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                          Function 0040C28E Relevance: 44.0, APIs: 6, Strings: 19, Instructions: 282registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                            • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                            • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000, W,pth_unenc,0040BF26,004742E0, W,?,pth_unenc), ref: 0040AFC9
                                            • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                            • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                            • Part of subcall function 0041B58F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6A5,00000000,00000000,?), ref: 0041B5CE
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                          • ExitProcess.KERNEL32 ref: 0040C63E
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                          • String ID: W$""", 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                          • API String ID: 1861856835-3062302092
                                          • Opcode ID: 0084137e0cf4c87855722601cfbf1a3198e8c736f4845412eba00602d73caec5
                                          • Instruction ID: c8b5e11b4abf5c95f8ab28b2bb359051ef64700817c412cd349ec45860bdb676
                                          • Opcode Fuzzy Hash: 0084137e0cf4c87855722601cfbf1a3198e8c736f4845412eba00602d73caec5
                                          • Instruction Fuzzy Hash: EB9175316042005AC314FB25D852ABF7799AF91718F10453FF98A631E2EF7CAD49C69E
                                          Function 0040BF04 Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 260registryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                            • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?, W,?,pth_unenc), ref: 0040C013
                                          • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                          • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?, W,?,pth_unenc), ref: 0040C056
                                          • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?, W,?,pth_unenc), ref: 0040C065
                                            • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000, W,pth_unenc,0040BF26,004742E0, W,?,pth_unenc), ref: 0040AFC9
                                            • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                            • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                            • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?, W), ref: 0041AB5F
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                          • ExitProcess.KERNEL32 ref: 0040C287
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                          • String ID: W$")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                          • API String ID: 3797177996-4225068533
                                          • Opcode ID: 8eaf99752597ea1a4d10927b3751fb5e27277ddc3ade82d131f2180467ece9db
                                          • Instruction ID: 1063ce1f4075510d90626cdc8b34ac690c3cf2dc76fa2c9c3337a4c1feab76e8
                                          • Opcode Fuzzy Hash: 8eaf99752597ea1a4d10927b3751fb5e27277ddc3ade82d131f2180467ece9db
                                          • Instruction Fuzzy Hash: B78191316042005BC315FB21D862ABF77A9ABD1308F10453FF586A71E2EF7CAD49869E
                                          Function 0041A1BB Relevance: 42.2, APIs: 12, Strings: 12, Instructions: 180synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2B2
                                          • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2C6
                                          • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2EE
                                          • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A2FF
                                          • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A340
                                          • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A358
                                          • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A36D
                                          • SetEvent.KERNEL32 ref: 0041A38A
                                          • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A39B
                                          • CloseHandle.KERNEL32 ref: 0041A3AB
                                          • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3CD
                                          • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3D7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                          • String ID: alias audio$" type $TUF$close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                          • API String ID: 738084811-2745919808
                                          • Opcode ID: bedb79d6b777c24a058fb07aaadb0652bc7d041f343cfefae731751c07e31b37
                                          • Instruction ID: 9d48d6c6e0579c1e833a8367b0d02802659df9f73890df0c3e8ff2b6504ede8e
                                          • Opcode Fuzzy Hash: bedb79d6b777c24a058fb07aaadb0652bc7d041f343cfefae731751c07e31b37
                                          • Instruction Fuzzy Hash: 9A51C2712443056AD214BB31DC82EBF3B5CEB91758F10043FF455A21E2EE389D9986AF
                                          Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                          • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                          • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                          • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                          • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                          • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                          • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                          • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                          • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                          • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                          • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                          • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$Write$Create
                                          • String ID: RIFF$WAVE$data$fmt
                                          • API String ID: 1602526932-4212202414
                                          • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                          • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                          • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                          • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                          Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe,00000001,004068B2,C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                          • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                          • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                          • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                          • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                          • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                          • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                          • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressHandleModuleProc
                                          • String ID: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                          • API String ID: 1646373207-4109731517
                                          • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                          • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                          • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                          • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                          Function 0040BC67 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 203fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • _wcslen.LIBCMT ref: 0040BC75
                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                          • CopyFileW.KERNEL32(C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                          • _wcslen.LIBCMT ref: 0040BD54
                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                          • CopyFileW.KERNEL32(C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe,00000000,00000000), ref: 0040BDF2
                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                          • _wcslen.LIBCMT ref: 0040BE34
                                          • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                          • ExitProcess.KERNEL32 ref: 0040BED0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                          • String ID: W$6$C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe$del$open$BG$BG
                                          • API String ID: 1579085052-3672444161
                                          • Opcode ID: 3074b94dd0db5ede3fe92545a612de18a9a35f6e419f75cb91ba7ed246302fb8
                                          • Instruction ID: b3868b96a5a73c1b880f625a38b4c220dd420420d05b0a2cc1e840e3cd02b35d
                                          • Opcode Fuzzy Hash: 3074b94dd0db5ede3fe92545a612de18a9a35f6e419f75cb91ba7ed246302fb8
                                          • Instruction Fuzzy Hash: D251B0212043406BD609B722EC52EBF77999F81719F10443FF985A66E2DF3CAD4582EE
                                          Function 0044E20E Relevance: 31.9, APIs: 17, Strings: 1, Instructions: 419COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$EnvironmentVariable$_wcschr
                                          • String ID: X%W
                                          • API String ID: 3899193279-2148709034
                                          • Opcode ID: 6267e3def292f84dd9e33adbac7387806370fb3e846e7c9bec72720c454fd2de
                                          • Instruction ID: 8ac3cd9939a067627e1c481289c57a7f9f94b657261427fab31af25724b0c78e
                                          • Opcode Fuzzy Hash: 6267e3def292f84dd9e33adbac7387806370fb3e846e7c9bec72720c454fd2de
                                          • Instruction Fuzzy Hash: 96D13C719007007FFB25AF7B9881A6F7BA4BF02314F0541AFF905A7381E63989418B9D
                                          Function 0041B1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • lstrlenW.KERNEL32(?), ref: 0041B1D6
                                          • _memcmp.LIBVCRUNTIME ref: 0041B1EE
                                          • lstrlenW.KERNEL32(?), ref: 0041B207
                                          • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B242
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B255
                                          • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B299
                                          • lstrcmpW.KERNEL32(?,?), ref: 0041B2B4
                                          • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2CC
                                          • _wcslen.LIBCMT ref: 0041B2DB
                                          • FindVolumeClose.KERNEL32(?), ref: 0041B2FB
                                          • GetLastError.KERNEL32 ref: 0041B313
                                          • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B340
                                          • lstrcatW.KERNEL32(?,?), ref: 0041B359
                                          • lstrcpyW.KERNEL32(?,?), ref: 0041B368
                                          • GetLastError.KERNEL32 ref: 0041B370
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                          • String ID: ?
                                          • API String ID: 3941738427-1684325040
                                          • Opcode ID: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                          • Instruction ID: 2e0df54dd889987763cd5022c3700ac4418931210c184d5857636408485aa128
                                          • Opcode Fuzzy Hash: 17f0383a2199e65fad79c02efdfd6f833a281a6f5bd6be27e9a359bd3f4b92bf
                                          • Instruction Fuzzy Hash: 8B416F71508305AAD7209FA1EC8C9EBB7E8EB49715F00096BF541C2261EB78C98887D6
                                          Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                            • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?, W), ref: 0041AB5F
                                            • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                            • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                          • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                          • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                          • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                          • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                          • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                          • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                          • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                          • Sleep.KERNEL32(00000064), ref: 00412060
                                            • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                          • String ID: /stext "$HDG$HDG$>G$>G
                                          • API String ID: 1223786279-3931108886
                                          • Opcode ID: 244db93aa1da19b7a039dbc034faf8c6a001f6843826ea2c079329fcbee235f9
                                          • Instruction ID: 1febf249a593eb43810efab42e14b6693ac358e03ba90545e56d33427da79e18
                                          • Opcode Fuzzy Hash: 244db93aa1da19b7a039dbc034faf8c6a001f6843826ea2c079329fcbee235f9
                                          • Instruction Fuzzy Hash: 960243315083414AC325FB61D891AEFB7D5AFD4308F50493FF88A931E2EF785A49C69A
                                          Function 0041CA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAE9
                                          • GetCursorPos.USER32(?), ref: 0041CAF8
                                          • SetForegroundWindow.USER32(?), ref: 0041CB01
                                          • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB1B
                                          • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB6C
                                          • ExitProcess.KERNEL32 ref: 0041CB74
                                          • CreatePopupMenu.USER32 ref: 0041CB7A
                                          • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB8F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                          • String ID: Close
                                          • API String ID: 1657328048-3535843008
                                          • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                          • Instruction ID: a66ed96c0d91d71762f770de87d5f41dd37c70c4e97b210e23d221b2b7ccacbc
                                          • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                          • Instruction Fuzzy Hash: 68212B71188209FFDB064F64FD4EAAA3F65EB04342F044135B906D40B2D7B9EA90EB18
                                          Function 00444F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$Info
                                          • String ID:
                                          • API String ID: 2509303402-0
                                          • Opcode ID: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                          • Instruction ID: 0af7f9009007d8880989bd470fdb3e4a62bb8e65dbd2af1b74ff5c8893cb1db7
                                          • Opcode Fuzzy Hash: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                          • Instruction Fuzzy Hash: D0B18F71900605AFEF11DFA9C881BEEBBF4BF49304F14406EF855B7242DA79A8458B64
                                          Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                          • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                          • __aulldiv.LIBCMT ref: 00407FE9
                                          • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                          • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                          • CloseHandle.KERNEL32(00000000), ref: 00408200
                                          • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                          • CloseHandle.KERNEL32(00000000), ref: 00408256
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                          • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                          • API String ID: 1884690901-3066803209
                                          • Opcode ID: 501f13347773ca8328b3059530cc4ad15e8023a44e4b73c6fbf9ab171f8d0e31
                                          • Instruction ID: 222450ca6543349723abdfa1177da379b39b5876d7444fbb960ea0ab75079841
                                          • Opcode Fuzzy Hash: 501f13347773ca8328b3059530cc4ad15e8023a44e4b73c6fbf9ab171f8d0e31
                                          • Instruction Fuzzy Hash: DAB191316083409BC214FB25C892AAFB7E5AFD4314F40492EF885632D2EF789945C79B
                                          Function 0040C66D Relevance: 21.1, APIs: 3, Strings: 9, Instructions: 147COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                            • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                            • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000, W), ref: 00412679
                                            • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                            • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                          • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                          • ExitProcess.KERNEL32 ref: 0040C832
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                          • String ID: W$""", 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                          • API String ID: 1913171305-2708977790
                                          • Opcode ID: 508d0871e15571b78838a5b212a0624c53e744e3e86450f5b9076bd3877095ab
                                          • Instruction ID: a795a6540db69397e2c5d2b70f340dd787df27bacd58b350937fb1c0aad7b7c4
                                          • Opcode Fuzzy Hash: 508d0871e15571b78838a5b212a0624c53e744e3e86450f5b9076bd3877095ab
                                          • Instruction Fuzzy Hash: A2416D329001185ACB14F762DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                          Function 00413E37 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                          • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                          • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                          • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                          • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                          • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                          • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                          • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                          • String ID: \ws2_32$\wship6$getaddrinfo
                                          • API String ID: 2490988753-3078833738
                                          • Opcode ID: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                          • Instruction ID: a4547f3d416e9253f7b1cbdd0907a67efdadb69b2b53743d1710677937ed8fa2
                                          • Opcode Fuzzy Hash: ba6e91efba9758633ea9bec27d31a254a4df24d425156724d9bfa6bc4db7eb59
                                          • Instruction Fuzzy Hash: 6D31C4B1906315A7D320AF25DC44ACBB7ECEF44745F400A2AF844D3201D778DA858AEE
                                          Function 0045006D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___free_lconv_mon.LIBCMT ref: 004500B1
                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F300
                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F312
                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F324
                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F336
                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F348
                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F35A
                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F36C
                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F37E
                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F390
                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3A2
                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3B4
                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3C6
                                            • Part of subcall function 0044F2E3: _free.LIBCMT ref: 0044F3D8
                                          • _free.LIBCMT ref: 004500A6
                                            • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                            • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                          • _free.LIBCMT ref: 004500C8
                                          • _free.LIBCMT ref: 004500DD
                                          • _free.LIBCMT ref: 004500E8
                                          • _free.LIBCMT ref: 0045010A
                                          • _free.LIBCMT ref: 0045011D
                                          • _free.LIBCMT ref: 0045012B
                                          • _free.LIBCMT ref: 00450136
                                          • _free.LIBCMT ref: 0045016E
                                          • _free.LIBCMT ref: 00450175
                                          • _free.LIBCMT ref: 00450192
                                          • _free.LIBCMT ref: 004501AA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                          • String ID:
                                          • API String ID: 161543041-0
                                          • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                          • Instruction ID: 6df0fc8d0da410edbfddc8482cd9dc810a80ebbb5b2f86b8c24a0bb33e3d08c7
                                          • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                          • Instruction Fuzzy Hash: 96317235500B00AFEB20AA35D845B5B73E5AF42355F15841FF849E7292DF39AC98CB1A
                                          Function 00419128 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • __EH_prolog.LIBCMT ref: 0041912D
                                          • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041915F
                                          • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191EB
                                          • Sleep.KERNEL32(000003E8), ref: 0041926D
                                          • GetLocalTime.KERNEL32(?), ref: 0041927C
                                          • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419365
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                          • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                          • API String ID: 489098229-65789007
                                          • Opcode ID: d035b23978f635d26d413941e86b53147c054b16f8fc180901addfee223a089d
                                          • Instruction ID: b922dce7c629cfc9b1bb11cb74a08c0e3353b39699bf4d86e46594d10c943285
                                          • Opcode Fuzzy Hash: d035b23978f635d26d413941e86b53147c054b16f8fc180901addfee223a089d
                                          • Instruction Fuzzy Hash: 33519F71A002449ACB14BBB5C856AFE7BA9AB55304F00407FF84AB71D2EF3C5E85C799
                                          Function 0044F3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                          • Instruction ID: 48066223020562dfe8895eb3edc0e70975ef38ab3c96fc6f1fb07286cb8ca08d
                                          • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                          • Instruction Fuzzy Hash: 2BC15772D80204BFEB20DBA9CC82FDE77F89B45704F15416AFA04FB282D6749D458B58
                                          Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                          • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                          • closesocket.WS2_32(000000FF), ref: 0040481F
                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                                          • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                                          • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                                          • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                                          • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                                          • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                          • String ID:
                                          • API String ID: 3658366068-0
                                          • Opcode ID: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
                                          • Instruction ID: 5504d0c870acfe65fd0076db90b097e51f0e6d2514c589c74abed5ba37c9c78a
                                          • Opcode Fuzzy Hash: c0811b9552baa960996580efd3a95ddbe219791cb6e29288b5199f5b52bda897
                                          • Instruction Fuzzy Hash: 3C212C71104B149FCB216B26EC45A27BBE1EF40325F104A7EF2E612AF1CB76E851DB48
                                          Function 00454982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00454650: CreateFileW.KERNEL32(00000000,?,?,+JE,?,?,00000000,?,00454A2B,00000000,0000000C), ref: 0045466D
                                          • GetLastError.KERNEL32 ref: 00454A96
                                          • __dosmaperr.LIBCMT ref: 00454A9D
                                          • GetFileType.KERNEL32(00000000), ref: 00454AA9
                                          • GetLastError.KERNEL32 ref: 00454AB3
                                          • __dosmaperr.LIBCMT ref: 00454ABC
                                          • CloseHandle.KERNEL32(00000000), ref: 00454ADC
                                          • CloseHandle.KERNEL32(?), ref: 00454C26
                                          • GetLastError.KERNEL32 ref: 00454C58
                                          • __dosmaperr.LIBCMT ref: 00454C5F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                          • String ID: H
                                          • API String ID: 4237864984-2852464175
                                          • Opcode ID: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                          • Instruction ID: 324c09394b40af715295ff654573b8bda7a64cd12b4111e7ce26936e53f9a861
                                          • Opcode Fuzzy Hash: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                          • Instruction Fuzzy Hash: B0A148329041044FDF19EF78D8427AE7BA0AB86319F14015EFC159F392DB398C86C75A
                                          Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: 65535$udp
                                          • API String ID: 0-1267037602
                                          • Opcode ID: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                          • Instruction ID: a76ad32841e4dbbb66723cf4e0556afe3febbbe66cdf8f55616d13ac9502c32b
                                          • Opcode Fuzzy Hash: dd6860ede333d1e13d8ba8fd5b9e65b3a11d6160404ba42ca097fcd4ed7c504e
                                          • Instruction Fuzzy Hash: 9D4118716083019BD7209F29E905BAB7BD8EF85706F04082FF84197391E76DCEC186AE
                                          Function 00416E27 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 107filesynchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                          • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                          • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                          • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                            • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                          • String ID: <$@$@FG$@FG$TUF$Temp
                                          • API String ID: 1107811701-4124992407
                                          • Opcode ID: 752ca13c782d44821a1ec6be30a7add5be14379de4efd94ca99b1656ba8a68f0
                                          • Instruction ID: 21bac8b1790940aaec7d6d8591dec239f7d6dde33bc15b5890dc9a9e7f2861e5
                                          • Opcode Fuzzy Hash: 752ca13c782d44821a1ec6be30a7add5be14379de4efd94ca99b1656ba8a68f0
                                          • Instruction Fuzzy Hash: E8319C319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                          Function 00406616 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 98COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCurrentProcess.KERNEL32(00474A28,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                          • GetCurrentProcess.KERNEL32(00474A28,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe), ref: 00406705
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CurrentProcess
                                          • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$pUF$windir$BG3i@
                                          • API String ID: 2050909247-1144799832
                                          • Opcode ID: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                          • Instruction ID: 423827b33d6c667fb1d0fc3afb55bdad30249121d517be796f0b9763ce16cf58
                                          • Opcode Fuzzy Hash: 5f4c91d6b24130c8fe2f88965ff0ff9b6bb2609424b04334da58237aef4b63a8
                                          • Instruction Fuzzy Hash: B2310871250700AFC300AB65EC45F6A37B8EB84716F11043EF50AE76E1EB79A8508B6D
                                          Function 00439361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393B9
                                          • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C6
                                          • __dosmaperr.LIBCMT ref: 004393CD
                                          • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393F9
                                          • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439403
                                          • __dosmaperr.LIBCMT ref: 0043940A
                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043944D
                                          • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439457
                                          • __dosmaperr.LIBCMT ref: 0043945E
                                          • _free.LIBCMT ref: 0043946A
                                          • _free.LIBCMT ref: 00439471
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                          • String ID:
                                          • API String ID: 2441525078-0
                                          • Opcode ID: 4e21fbd1580d6ff2ce7530065813a89ea1a3ca3d3e91b16b88e7fcb0346c66d6
                                          • Instruction ID: 902c93592471d116807dca9985149206a76c62e8192f2f9a6cc20a0486345b12
                                          • Opcode Fuzzy Hash: 4e21fbd1580d6ff2ce7530065813a89ea1a3ca3d3e91b16b88e7fcb0346c66d6
                                          • Instruction Fuzzy Hash: F531F17140820ABBEF11AFA5DC449AF3B78EF09364F14016AF81066291DB79CC12DBA9
                                          Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SetEvent.KERNEL32(?,?), ref: 00404E71
                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                          • TranslateMessage.USER32(?), ref: 00404F30
                                          • DispatchMessageA.USER32(?), ref: 00404F3B
                                          • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                          • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                            • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                          • String ID: CloseChat$DisplayMessage$GetMessage
                                          • API String ID: 2956720200-749203953
                                          • Opcode ID: a2760a75c4010efd430d50483b3818b1fd7b873d6bd9256ff1117aa8aa92d1af
                                          • Instruction ID: a70547b48422ce96676d24762269450ce3f1821fc9982c67352fb5fd346d99ba
                                          • Opcode Fuzzy Hash: a2760a75c4010efd430d50483b3818b1fd7b873d6bd9256ff1117aa8aa92d1af
                                          • Instruction Fuzzy Hash: F741BFB16043016BC714FB75DC5A8AE77A9ABC1714F40093EF906A31E6EF38DA05C79A
                                          Function 00419C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419C94
                                          • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CAB
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CB8
                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CC7
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CD8
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004195F8,00000000,00000000), ref: 00419CDB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ControlManager
                                          • String ID:
                                          • API String ID: 221034970-0
                                          • Opcode ID: 83979f30ba13052199b290374f4e897ff0c223aa30bace9cb26b013bf86a6d8f
                                          • Instruction ID: aaf019a9b49167a30595a2ca3c371567d0eeee9026f0995440eeab6e66ec65be
                                          • Opcode Fuzzy Hash: 83979f30ba13052199b290374f4e897ff0c223aa30bace9cb26b013bf86a6d8f
                                          • Instruction Fuzzy Hash: 00118632901218AFD7116B64EC85DFF3FACDB45BA5B000036F502921D1DB64DD46AAF5
                                          Function 00446DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00446DDF
                                            • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                            • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                          • _free.LIBCMT ref: 00446DEB
                                          • _free.LIBCMT ref: 00446DF6
                                          • _free.LIBCMT ref: 00446E01
                                          • _free.LIBCMT ref: 00446E0C
                                          • _free.LIBCMT ref: 00446E17
                                          • _free.LIBCMT ref: 00446E22
                                          • _free.LIBCMT ref: 00446E2D
                                          • _free.LIBCMT ref: 00446E38
                                          • _free.LIBCMT ref: 00446E46
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                          • Instruction ID: b6db37451886405a3c03f61b360184b61b1678451e8b30ee63348233c964278a
                                          • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                          • Instruction Fuzzy Hash: F011E975100408BFEB01EF55C842CDD3B65EF46354B06C0AAF9086F222DA35DE649F85
                                          Function 0041B824 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B846
                                          • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B88A
                                          • RegCloseKey.ADVAPI32(?), ref: 0041BB54
                                          Strings
                                          • DisplayName, xrefs: 0041B8D1
                                          • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041B83C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseEnumOpen
                                          • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                          • API String ID: 1332880857-3614651759
                                          • Opcode ID: beee8cc8128c5b6292a52baa65063b935d7e49e28abb99bedb81eb58e8c596e1
                                          • Instruction ID: 4ca6cd9db44c7b11bab16217f2b7ba144dfc64e74838f3250c32f9e768a6938f
                                          • Opcode Fuzzy Hash: beee8cc8128c5b6292a52baa65063b935d7e49e28abb99bedb81eb58e8c596e1
                                          • Instruction Fuzzy Hash: 8C812E311082449BD324EB11DC51AEFB7E9FFD4314F10493FB58A921E1EF74AA49CA9A
                                          Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Eventinet_ntoa
                                          • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                          • API String ID: 3578746661-4192532303
                                          • Opcode ID: 5591d94899e3dc25aa1960d5c0cb9b58af094e98f064e1ecba9a55431c36abf3
                                          • Instruction ID: 9533851bb4e74ac183efc1d320b4a1154e984465ef7073577260c431c5a81f81
                                          • Opcode Fuzzy Hash: 5591d94899e3dc25aa1960d5c0cb9b58af094e98f064e1ecba9a55431c36abf3
                                          • Instruction Fuzzy Hash: E8518471A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CAD85CB9F
                                          Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                            • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                          • Sleep.KERNEL32(00000064), ref: 00416688
                                          • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CreateDeleteExecuteShellSleep
                                          • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                          • API String ID: 1462127192-2001430897
                                          • Opcode ID: d94b8c85182ea572c803bf7ed9f069f989e38430cde1dbff2418cf4f66068fd6
                                          • Instruction ID: 72b86f905f1643b809cd09d25b02ba286255726e8958c1b91c3bd62dba73c542
                                          • Opcode Fuzzy Hash: d94b8c85182ea572c803bf7ed9f069f989e38430cde1dbff2418cf4f66068fd6
                                          • Instruction Fuzzy Hash: FD313E719001085ADB14FBA1DC96EEE7764AF50708F00013FF906731E2EF786A8ACA9D
                                          Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                          Download Yara Rule
                                          APIs
                                          • _strftime.LIBCMT ref: 00401AD3
                                            • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                          • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                          • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                          • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                          • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                          • API String ID: 3809562944-3643129801
                                          • Opcode ID: b8eed0d151ccb6e5a82338ef45dd5c7a6e48c5c8e1108a83b815f9cf038dc0a3
                                          • Instruction ID: ec6e8c75c27496dd15f6dcc160753dc5291fcfbcfc36b55cd818fae73feeac55
                                          • Opcode Fuzzy Hash: b8eed0d151ccb6e5a82338ef45dd5c7a6e48c5c8e1108a83b815f9cf038dc0a3
                                          • Instruction Fuzzy Hash: 6C317E315053009BC314EF25DC56A9E77E8BB94314F00883EF559A21F1EF78AA49CB9A
                                          Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                          • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                          • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                          • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                          • waveInStart.WINMM ref: 00401A81
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                          • String ID: XCG$`=G$x=G
                                          • API String ID: 1356121797-903574159
                                          • Opcode ID: df66b5dce40286873da021395106849cc9c08a1aee5ad096444ea0181d895aab
                                          • Instruction ID: 1c4952ee711c82e1d68262a7885cb64ec938acb60d992cd4a46dee1db52e037b
                                          • Opcode Fuzzy Hash: df66b5dce40286873da021395106849cc9c08a1aee5ad096444ea0181d895aab
                                          • Instruction Fuzzy Hash: 87215C316012009BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                          Function 0041C96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C988
                                            • Part of subcall function 0041CA1F: RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                            • Part of subcall function 0041CA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                            • Part of subcall function 0041CA1F: GetLastError.KERNEL32 ref: 0041CA91
                                          • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9BF
                                          • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9D9
                                          • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9EF
                                          • TranslateMessage.USER32(?), ref: 0041C9FB
                                          • DispatchMessageA.USER32(?), ref: 0041CA05
                                          • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA12
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                          • String ID: Remcos
                                          • API String ID: 1970332568-165870891
                                          • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                          • Instruction ID: 0af2178feff80faf092f0d4c6bffee9b758878d1eb04e36c9ad6546aee081b39
                                          • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                          • Instruction Fuzzy Hash: 760121B1944344ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                          Function 0044B450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: c66e7b394ba3cedc2256576aca990ac76a61b28af5954af531c93a6943a32a1c
                                          • Instruction ID: 1e235cce983953b2f50cc3566bc78ab2d8216d31b9fa4c429b6f00869d8f9d70
                                          • Opcode Fuzzy Hash: c66e7b394ba3cedc2256576aca990ac76a61b28af5954af531c93a6943a32a1c
                                          • Instruction Fuzzy Hash: 27C1D774D04249AFEF11DFA9C8417AEBBB4FF4A304F14405AE814A7392C778D941CBA9
                                          Function 00452B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BD6
                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C59
                                          • __alloca_probe_16.LIBCMT ref: 00452C91
                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E03,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CEC
                                          • __alloca_probe_16.LIBCMT ref: 00452D3B
                                          • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D03
                                            • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                          • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E03,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D7F
                                          • __freea.LIBCMT ref: 00452DAA
                                          • __freea.LIBCMT ref: 00452DB6
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                          • String ID:
                                          • API String ID: 201697637-0
                                          • Opcode ID: cd4f4d094d65e1c4d755668ff0760d0ec0a4a3d0ecd204ff5b810190f7c058d9
                                          • Instruction ID: c0da75549b7b47b94c7346473649b17197e9394d7568cc7349c1d05b16f9ad8a
                                          • Opcode Fuzzy Hash: cd4f4d094d65e1c4d755668ff0760d0ec0a4a3d0ecd204ff5b810190f7c058d9
                                          • Instruction Fuzzy Hash: F391D872E002169BDF218E64CA51EEF7BB5AF0A315F14055BEC04E7243D7A9DC48CB68
                                          Function 004443F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00446EBF: GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                            • Part of subcall function 00446EBF: _free.LIBCMT ref: 00446EF6
                                            • Part of subcall function 00446EBF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                            • Part of subcall function 00446EBF: _abort.LIBCMT ref: 00446F3D
                                          • _memcmp.LIBVCRUNTIME ref: 004446A3
                                          • _free.LIBCMT ref: 00444714
                                          • _free.LIBCMT ref: 0044472D
                                          • _free.LIBCMT ref: 0044475F
                                          • _free.LIBCMT ref: 00444768
                                          • _free.LIBCMT ref: 00444774
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorLast$_abort_memcmp
                                          • String ID: C
                                          • API String ID: 1679612858-1037565863
                                          • Opcode ID: c1bf1e8f9dec5d7cfc4ae1e5b0c5bec2e7773f5590c7fa80be8f87cb2d294935
                                          • Instruction ID: 3c523a64da6f7cdf058c983f33271b3c05ff2f19a58e511a78fa6d1555c07658
                                          • Opcode Fuzzy Hash: c1bf1e8f9dec5d7cfc4ae1e5b0c5bec2e7773f5590c7fa80be8f87cb2d294935
                                          • Instruction Fuzzy Hash: 19B13975A012199FEB24DF18C885BAEB7B4FB49304F1485AEE909A7350D739AE90CF44
                                          Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: tcp$udp
                                          • API String ID: 0-3725065008
                                          • Opcode ID: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                          • Instruction ID: e59cad8d3053530f07be13ad944632c35d9115139dfdf9e987abb4c2b311e0ee
                                          • Opcode Fuzzy Hash: feee9516c16efef68815b89ade9cbffe5bf55ce5106af849680fee818ce7e4b0
                                          • Instruction Fuzzy Hash: 9171AB316083128FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                          Function 00401768 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • ExitThread.KERNEL32 ref: 004017F4
                                            • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                            • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                          • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                            • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                          • __Init_thread_footer.LIBCMT ref: 004017BC
                                            • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                            • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                          • String ID: T=G$p[G$>G$>G
                                          • API String ID: 1596592924-2461731529
                                          • Opcode ID: f7dd7ff43e8fa91a01b380b53589ec67711359c1a88f3d5bbceeae34eeda83d9
                                          • Instruction ID: b2aa677fe1363808454ef9d3704f93b9908b7cd688e3fd59dcdd6ad405d7ff49
                                          • Opcode Fuzzy Hash: f7dd7ff43e8fa91a01b380b53589ec67711359c1a88f3d5bbceeae34eeda83d9
                                          • Instruction Fuzzy Hash: 0D41A0316042019BC324FB65DCA6EAE73A4EB94318F00453FF54AA71F2DF78A945C65E
                                          Function 00412C88 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                            • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                            • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                            • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                          • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseEnumInfoOpenQuerysend
                                          • String ID: TUF$TUFTUF$>G$DG$DG
                                          • API String ID: 3114080316-72097156
                                          • Opcode ID: b79f96b98849828189ce12a55a5e60de86127cd7c836c6bc3b0d8c974564a8ee
                                          • Instruction ID: 92049c6ae7fba3f13a57cd60a3827c89810429dfa6cf24b756c0ab1f01d338b1
                                          • Opcode Fuzzy Hash: b79f96b98849828189ce12a55a5e60de86127cd7c836c6bc3b0d8c974564a8ee
                                          • Instruction Fuzzy Hash: 0141A2316042009BC224F635D9A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                          Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                          • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                            • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                          • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                          • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                          • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                          • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                            • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                            • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                          • String ID: .part
                                          • API String ID: 1303771098-3499674018
                                          • Opcode ID: 124c633532e8600691c4108089ff1e2e84c33ce980c006a8ee94900b53e6ed61
                                          • Instruction ID: a9f2b94bfe891e644ef5b97f564769cd4b441703f4f7d546a0b6aea2ef9939f1
                                          • Opcode Fuzzy Hash: 124c633532e8600691c4108089ff1e2e84c33ce980c006a8ee94900b53e6ed61
                                          • Instruction Fuzzy Hash: 1C31C2715083019FD210EF21DD459AFB7A8FB85715F40093FF9C6A21A1DB38AA48CB9A
                                          Function 0041A81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                            • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                            • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                            • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                            • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                          • _wcslen.LIBCMT ref: 0041A8F6
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                          • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                          • API String ID: 3286818993-703403762
                                          • Opcode ID: d31394a1e59778cac49212debd323097d31c222899c914d30ad8a284f22ebc6c
                                          • Instruction ID: cf464564bb47d370653928ac6653466accee15d45f6204cdc17a1bec324f9b19
                                          • Opcode Fuzzy Hash: d31394a1e59778cac49212debd323097d31c222899c914d30ad8a284f22ebc6c
                                          • Instruction Fuzzy Hash: 3021B8727001043BDB04BAB58C96DEE366D9B85358F14083FF402F72C2ED3C9D5942A9
                                          Function 0040B6EA Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 85COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                            • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                            • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                          • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                          • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                          • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders$TUF
                                          • API String ID: 1133728706-1738023494
                                          • Opcode ID: 855e2cf6618f683fcf1880faecf3eef8977eac3d94cb5d0ef317c0a3041edc6c
                                          • Instruction ID: d844a8c095f6bc09782a4352348c5dfd082864f820bca84d12e352ec49be167e
                                          • Opcode Fuzzy Hash: 855e2cf6618f683fcf1880faecf3eef8977eac3d94cb5d0ef317c0a3041edc6c
                                          • Instruction Fuzzy Hash: 5F216D71A00109A6CB04F7B2DCA69EE7764AE95318F40013FE902771D2EB7C9A49C6DE
                                          Function 0041BEB0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • AllocConsole.KERNEL32(00474358), ref: 0041BEB9
                                          • GetConsoleWindow.KERNEL32 ref: 0041BEBF
                                          • ShowWindow.USER32(00000000,00000000), ref: 0041BED2
                                          • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BEF7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Console$Window$AllocOutputShow
                                          • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                          • API String ID: 4067487056-2527699604
                                          • Opcode ID: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                          • Instruction ID: 482f1cdaf256b8236abc94a0b12de3dc55517b66349f776fa4240982defd8f75
                                          • Opcode Fuzzy Hash: 665a097808b038229c9a37eafed355beb7ea993dcaa7ec452e19bba1328996a1
                                          • Instruction Fuzzy Hash: 180171B19803047BD600FBF29D4BFDD37AC9B14705F5004277644E7093EABCA554866D
                                          Function 00449950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D564,0043D564,?,?,?,00449BA1,00000001,00000001,1AE85006), ref: 004499AA
                                          • __alloca_probe_16.LIBCMT ref: 004499E2
                                          • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449BA1,00000001,00000001,1AE85006,?,?,?), ref: 00449A30
                                          • __alloca_probe_16.LIBCMT ref: 00449AC7
                                          • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B2A
                                          • __freea.LIBCMT ref: 00449B37
                                            • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                          • __freea.LIBCMT ref: 00449B40
                                          • __freea.LIBCMT ref: 00449B65
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                          • String ID:
                                          • API String ID: 3864826663-0
                                          • Opcode ID: 4f32ff11c9a2c5bbe2f4738f39354e42457cdb7b2d04467834f9366f6cd65cf7
                                          • Instruction ID: d3450b84a68f20df6837e20b70452335b33749c243a385fd48b45426a0ff81fe
                                          • Opcode Fuzzy Hash: 4f32ff11c9a2c5bbe2f4738f39354e42457cdb7b2d04467834f9366f6cd65cf7
                                          • Instruction Fuzzy Hash: 89511572610246AFFB258F65DC81EBB77A9EB44754F15462EFC04E6240EF38EC40E668
                                          Function 00418ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • SendInput.USER32 ref: 00418B08
                                          • SendInput.USER32(00000001,?,0000001C), ref: 00418B30
                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B57
                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B75
                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B95
                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BBA
                                          • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BDC
                                          • SendInput.USER32(00000001,?,0000001C), ref: 00418BFF
                                            • Part of subcall function 00418AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AB7
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InputSend$Virtual
                                          • String ID:
                                          • API String ID: 1167301434-0
                                          • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                          • Instruction ID: ee8b26819532887277ba411a2a2a0296f2420856d0f10470abe43a11d9a37015
                                          • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                          • Instruction Fuzzy Hash: 3231A471248345AAE210DF65D841FDFFBECAFC5B44F04080FB98457291DAA4D98C87AB
                                          Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenClipboard.USER32 ref: 00415A46
                                          • EmptyClipboard.USER32 ref: 00415A54
                                          • CloseClipboard.USER32 ref: 00415A5A
                                          • OpenClipboard.USER32 ref: 00415A61
                                          • GetClipboardData.USER32(0000000D), ref: 00415A71
                                          • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                          • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                          • CloseClipboard.USER32 ref: 00415A89
                                            • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                          • String ID:
                                          • API String ID: 2172192267-0
                                          • Opcode ID: d51e9d9b7c83d4b7240a3047c26a9a5e57fadfb447c4903058641008fff525ed
                                          • Instruction ID: 9b100a12d13cc6c4196ee8fc3e520842cce62831b2d72284ea91ff5550736cd9
                                          • Opcode Fuzzy Hash: d51e9d9b7c83d4b7240a3047c26a9a5e57fadfb447c4903058641008fff525ed
                                          • Instruction Fuzzy Hash: A10152312083009FC314BB75EC5AAEE77A5AFC0762F41457EFD06861A2DF38C845D65A
                                          Function 00447E3A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00447EBC
                                          • _free.LIBCMT ref: 00447EE0
                                          • _free.LIBCMT ref: 00448067
                                          • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448079
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 004480F1
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044811E
                                          • _free.LIBCMT ref: 00448233
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                          • String ID:
                                          • API String ID: 314583886-0
                                          • Opcode ID: b6bc52503377ed9d6f1f9e4f23e77935edc363574d887804d00f446c38a2ef84
                                          • Instruction ID: d74e55ca02e924b9256a88f94e7be2aa31ce1fd8fbfcff02d88bcfbefc6cbd9d
                                          • Opcode Fuzzy Hash: b6bc52503377ed9d6f1f9e4f23e77935edc363574d887804d00f446c38a2ef84
                                          • Instruction Fuzzy Hash: 32C12871904205ABFB24DF799C41AAE7BB8EF46314F2441AFE484A7351EB388E47C758
                                          Function 0044F806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: 5969c94153c7b7bc47658fb7421fb2dc5c6178a12c9a66a46f54a64434edbe96
                                          • Instruction ID: 5fecc71d39e6a90402c47f7728bb4f6831cdfeb90858b0dfc168023e2edb8b83
                                          • Opcode Fuzzy Hash: 5969c94153c7b7bc47658fb7421fb2dc5c6178a12c9a66a46f54a64434edbe96
                                          • Instruction Fuzzy Hash: 2361BFB1900205AFEB20DF69C841BAABBF4EB45720F24417BE944FB392E7349D45CB59
                                          Function 00443F7B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                          • _free.LIBCMT ref: 00444086
                                          • _free.LIBCMT ref: 0044409D
                                          • _free.LIBCMT ref: 004440BC
                                          • _free.LIBCMT ref: 004440D7
                                          • _free.LIBCMT ref: 004440EE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$AllocateHeap
                                          • String ID: J7D
                                          • API String ID: 3033488037-1677391033
                                          • Opcode ID: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
                                          • Instruction ID: b5a2c1f2d034459fb850ff781f480331835685433a1d37f27cfcf8091ebf3f31
                                          • Opcode Fuzzy Hash: e789079c2bca6bbabae9b3291a6a7c0d52dcd5a72fb4a21e852c8be1410d12d6
                                          • Instruction Fuzzy Hash: 9251E371A00604AFEB20DF6AC841B6AB3F4EF95724F14416EE909D7251E739ED15CB88
                                          Function 0044A0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A838,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A105
                                          • __fassign.LIBCMT ref: 0044A180
                                          • __fassign.LIBCMT ref: 0044A19B
                                          • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1C1
                                          • WriteFile.KERNEL32(?,00000000,00000000,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A1E0
                                          • WriteFile.KERNEL32(?,?,00000001,0044A838,00000000,?,?,?,?,?,?,?,?,?,0044A838,?), ref: 0044A219
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                          • String ID:
                                          • API String ID: 1324828854-0
                                          • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                          • Instruction ID: b40464c9ec282996611fef5cbd20273031f87559cdf671a411eba52403cbf28d
                                          • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                          • Instruction Fuzzy Hash: DB51E270E002099FEB10CFA8D881AEEBBF8FF09300F14416BE815E3391D6749951CB6A
                                          Function 004559CA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID: HE$HE
                                          • API String ID: 269201875-1978648262
                                          • Opcode ID: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
                                          • Instruction ID: 4134de32792d44acead4bb36f8da9b5b282593f8ffe10db144b1eaf4d9577b64
                                          • Opcode Fuzzy Hash: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
                                          • Instruction Fuzzy Hash: 90412A31A009106BEF24AABA8CD5A7F3B64DF45375F14031BFC1896293D67C8C4996AA
                                          Function 0040E6A3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132processCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041B15B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B16C
                                            • Part of subcall function 0041B15B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B173
                                          • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                          • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                          • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                            • Part of subcall function 0041B187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B19C
                                            • Part of subcall function 0041B187: IsWow64Process.KERNEL32(00000000,?,?,?,00474358), ref: 0041B1A7
                                            • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                            • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                          • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                          • String ID: PgF
                                          • API String ID: 2180151492-654241383
                                          • Opcode ID: f63e02058b3df390fc99547af966fd5b060998b003f203cb2b12e7754b08fae9
                                          • Instruction ID: 1ccfc3ca83e07eb3b8bade3b71d1bee95701cef3987deea6625860c00c24977f
                                          • Opcode Fuzzy Hash: f63e02058b3df390fc99547af966fd5b060998b003f203cb2b12e7754b08fae9
                                          • Instruction Fuzzy Hash: F641E1311083415BC325F761D8A1AEFB7E9EFA4305F50453EF84A931E1EF389A49C65A
                                          Function 00437A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                          Download Yara Rule
                                          APIs
                                          • _ValidateLocalCookies.LIBCMT ref: 00437AAB
                                          • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AB3
                                          • _ValidateLocalCookies.LIBCMT ref: 00437B41
                                          • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B6C
                                          • _ValidateLocalCookies.LIBCMT ref: 00437BC1
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                          • String ID: csm
                                          • API String ID: 1170836740-1018135373
                                          • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                          • Instruction ID: 9404c61c081bc4e6da2099be8a52027e1297fde76841380def533d3eaa533744
                                          • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                          • Instruction Fuzzy Hash: CD410970A04209DBCF20EF19C844A9FBBB5AF0932CF14915BE8556B392D739EE05CB95
                                          Function 00455903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 02717eb42979939780aa55e78abd64da983f54570bcab5d4a33c232e0763f4b4
                                          • Instruction ID: 969edc756a0dffe936139f0dc9bce31aed38431af2e56c5058bd22e5c2f4fad6
                                          • Opcode Fuzzy Hash: 02717eb42979939780aa55e78abd64da983f54570bcab5d4a33c232e0763f4b4
                                          • Instruction Fuzzy Hash: 991124B1508654FBDB202F769C4493B3B6CEF82376B10016FFC15D7242DA7C8805C2AA
                                          Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                          • int.LIBCPMT ref: 0040FC0F
                                            • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                            • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                          • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                          • String ID: P[G
                                          • API String ID: 2536120697-571123470
                                          • Opcode ID: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                          • Instruction ID: a46b155a0a589d4ea75c4983af6a631921b9d9812a15003568faaf62f6f01cf1
                                          • Opcode Fuzzy Hash: 080c8d6f573d4b518caf4e655f0fcc3a1f7fca7e624085fd0a478c15266a48d0
                                          • Instruction Fuzzy Hash: 7611F331904518A7CB14FBA5D8469DEB7689E44358B20007BF905B72C1EB7CAE45C79D
                                          Function 0044FCDB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0044FA22: _free.LIBCMT ref: 0044FA4B
                                          • _free.LIBCMT ref: 0044FD29
                                            • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                            • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                          • _free.LIBCMT ref: 0044FD34
                                          • _free.LIBCMT ref: 0044FD3F
                                          • _free.LIBCMT ref: 0044FD93
                                          • _free.LIBCMT ref: 0044FD9E
                                          • _free.LIBCMT ref: 0044FDA9
                                          • _free.LIBCMT ref: 0044FDB4
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                          • Instruction ID: b6f47af98b99390d2ca34363280ce03bc5e4d1be0f6c4f29549f69d6ae0d3a9a
                                          • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                          • Instruction Fuzzy Hash: 5F119031711B04B6F520FBB2CC07FCBB7DC9F42308F814C2EB29E76152E628A9184645
                                          Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                          • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe), ref: 00406835
                                            • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                            • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                          • CoUninitialize.OLE32 ref: 0040688E
                                          Strings
                                          • [+] ucmCMLuaUtilShellExecMethod, xrefs: 0040681A
                                          • C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, xrefs: 00406815, 00406818, 0040686A
                                          • [+] before ShellExec, xrefs: 00406856
                                          • [+] ShellExec success, xrefs: 00406873
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: InitializeObjectUninitialize_wcslen
                                          • String ID: C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                          • API String ID: 3851391207-943193706
                                          • Opcode ID: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                          • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                          • Opcode Fuzzy Hash: cc256bbe825efe690782e207798e63cf697be23d062579cdcaa40baaa38e88a5
                                          • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                          Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                          • int.LIBCPMT ref: 0040FEF2
                                            • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                            • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                          • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                          • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                          • String ID: H]G
                                          • API String ID: 2536120697-1717957184
                                          • Opcode ID: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                          • Instruction ID: c39742161ac3258eace465d30f2780732a1ff9819e97f4bd037edafe9ec39b9f
                                          • Opcode Fuzzy Hash: 4f42b0104d3fab8d9c54d588918312ac25f5cdf33bdc383dd9a32706d08bdfcf
                                          • Instruction Fuzzy Hash: 9011BF31900419ABCB24FBA5C8468DDB7799F95318B20007FF505B72C1EB78AF09C799
                                          Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                          • GetLastError.KERNEL32 ref: 0040B2EE
                                          Strings
                                          • [Chrome Cookies not found], xrefs: 0040B308
                                          • UserProfile, xrefs: 0040B2B4
                                          • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                          • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteErrorFileLast
                                          • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                          • API String ID: 2018770650-304995407
                                          • Opcode ID: affce56bb21929d7383bdb2dccb574c79b51b4180e8c74c87d019dc2b0b7a2d9
                                          • Instruction ID: 647c9f6895dd19beb09db90be4e639f81332b1b521455d1adc7a9c6a9ee315b4
                                          • Opcode Fuzzy Hash: affce56bb21929d7383bdb2dccb574c79b51b4180e8c74c87d019dc2b0b7a2d9
                                          • Instruction Fuzzy Hash: 3301A23164410557CB047BB5DD6B8AF3624ED50708F60013FF802B32E2FE3A9A0586CE
                                          Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                          Download Yara Rule
                                          Strings
                                          • W, xrefs: 0040693F
                                          • BG, xrefs: 00406909
                                          • C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe, xrefs: 00406927
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: W$C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe$BG
                                          • API String ID: 0-1907476974
                                          • Opcode ID: d50a95e135f0bfdaf236d1bb78b8391e43d4b57b805b0d92c2bf5032378cfc05
                                          • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                          • Opcode Fuzzy Hash: d50a95e135f0bfdaf236d1bb78b8391e43d4b57b805b0d92c2bf5032378cfc05
                                          • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                          Function 00412774 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 38registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
                                          • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000, W,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
                                          • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseCreateValue
                                          • String ID: W$pth_unenc$BG
                                          • API String ID: 1818849710-3616097400
                                          • Opcode ID: 2b0b83c385fe9b11323970af50dff3bb0d924dce91bf1d9d78cbef32cf6cf5ea
                                          • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                          • Opcode Fuzzy Hash: 2b0b83c385fe9b11323970af50dff3bb0d924dce91bf1d9d78cbef32cf6cf5ea
                                          • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                          Function 004395FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                          Download Yara Rule
                                          APIs
                                          • __allrem.LIBCMT ref: 00439789
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397A5
                                          • __allrem.LIBCMT ref: 004397BC
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397DA
                                          • __allrem.LIBCMT ref: 004397F1
                                          • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043980F
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                          • String ID:
                                          • API String ID: 1992179935-0
                                          • Opcode ID: 088a2e1066119da7e611ebb0c50ba568729b81e5e50e163a33f94ab824c18df8
                                          • Instruction ID: 29148231e9435c1f59b8c02308e8e4f0c882d016d38a0f6ab7871d26eba04b65
                                          • Opcode Fuzzy Hash: 088a2e1066119da7e611ebb0c50ba568729b81e5e50e163a33f94ab824c18df8
                                          • Instruction Fuzzy Hash: 7A811B726017069BE724AE79CC82B6F73A8AF49328F24512FF511D66C1E7B8DD018B58
                                          Function 00444B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __cftoe
                                          • String ID:
                                          • API String ID: 4189289331-0
                                          • Opcode ID: 07fcb3c060a749777e725642930ed18157a1f5019e1f3146b4d3bc33616e3b2a
                                          • Instruction ID: 646e0444ce84107b4b6d0ff1d92098e8eb0dfa86acef9ec08128487301265115
                                          • Opcode Fuzzy Hash: 07fcb3c060a749777e725642930ed18157a1f5019e1f3146b4d3bc33616e3b2a
                                          • Instruction Fuzzy Hash: A851FC72900105ABFB249F598C81F6F77A9EFC9324F15421FF815A6281DB3DDD01866D
                                          Function 00446159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __freea$__alloca_probe_16
                                          • String ID: a/p$am/pm
                                          • API String ID: 3509577899-3206640213
                                          • Opcode ID: 3e928ede4659587d97ed5dfbbe89dc282e212a9f54712889c1654def3b5faaeb
                                          • Instruction ID: cf09b504ad0dd49156c227457699755419044adef71e8be36bbdd309731302d4
                                          • Opcode Fuzzy Hash: 3e928ede4659587d97ed5dfbbe89dc282e212a9f54712889c1654def3b5faaeb
                                          • Instruction Fuzzy Hash: 5FD1F271A00206EAFB249F68D945ABBB7B0FF06300F26415BE905AB749D37D8D41CB5B
                                          Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • Sleep.KERNEL32(00000000), ref: 00403E8A
                                            • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: H_prologSleep
                                          • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                          • API String ID: 3469354165-462540288
                                          • Opcode ID: 5841f26bed2e6a7aa582390ce880d7ddbdf02f0032d54b446bddfa1f6fb8a059
                                          • Instruction ID: 0dce3c58988623f436d5c5d916b021fc345e3c2d86dff9f08dc17926b78fee06
                                          • Opcode Fuzzy Hash: 5841f26bed2e6a7aa582390ce880d7ddbdf02f0032d54b446bddfa1f6fb8a059
                                          • Instruction Fuzzy Hash: A441A330A0420197CA14FB79C816AAD3A655B45704F00453FF809A73E2EF7C9A45C7CF
                                          Function 00419DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419DFC
                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E10
                                          • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E1D
                                          • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419507), ref: 00419E52
                                          • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E64
                                          • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419507,00000000,00000000), ref: 00419E67
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                          • String ID:
                                          • API String ID: 493672254-0
                                          • Opcode ID: 8d0c32570e89dd068500cd90fe1776a703b3a192111dc2e8c1051611ff5d3692
                                          • Instruction ID: c28812c6d5a3476d8c1fe7dae916194da5da8b168be8dbaba893861dad7fc5da
                                          • Opcode Fuzzy Hash: 8d0c32570e89dd068500cd90fe1776a703b3a192111dc2e8c1051611ff5d3692
                                          • Instruction Fuzzy Hash: 3301F5311483147AD7119B39EC5EEBF3AACDB42B71F10022BF526D62D1DA68DE8181A9
                                          Function 00437E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,00437DFD,004377B1), ref: 00437E14
                                          • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E22
                                          • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E3B
                                          • SetLastError.KERNEL32(00000000,?,00437DFD,004377B1), ref: 00437E8D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLastValue___vcrt_
                                          • String ID:
                                          • API String ID: 3852720340-0
                                          • Opcode ID: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                          • Instruction ID: be779a20f6972cc68ff7cd304671387be2c97454b743a33de387a584dbd8fa65
                                          • Opcode Fuzzy Hash: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                          • Instruction Fuzzy Hash: 2A01D8B222D315ADEB3427757C87A172699EB09779F2013BFF228851E1EF294C41914C
                                          Function 00446EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(?,?,0043931C,?,00000000,?,0043B955,00000000,00000000), ref: 00446EC3
                                          • _free.LIBCMT ref: 00446EF6
                                          • _free.LIBCMT ref: 00446F1E
                                          • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F2B
                                          • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F37
                                          • _abort.LIBCMT ref: 00446F3D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$_free$_abort
                                          • String ID:
                                          • API String ID: 3160817290-0
                                          • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                          • Instruction ID: 3d2b287d931d31d162837175e2379b90ae0e47a7897f975c134f35b9cb22fcab
                                          • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                          • Instruction Fuzzy Hash: 2AF0F93560870177F6226339BD45A6F16559BC37A6F36003FF414A2293EE2D8C46451F
                                          Function 00419C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C2F
                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C43
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C50
                                          • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C5F
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C71
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041979B,00000000,00000000), ref: 00419C74
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ControlManager
                                          • String ID:
                                          • API String ID: 221034970-0
                                          • Opcode ID: e0442b8656df40b354effc29a53afdc585f42babe91f9aeac9dec78915b16ffb
                                          • Instruction ID: e05d85410d15b39c35b215a1997cf582e970b4d0c8f2e3caff6268b58306b2a8
                                          • Opcode Fuzzy Hash: e0442b8656df40b354effc29a53afdc585f42babe91f9aeac9dec78915b16ffb
                                          • Instruction Fuzzy Hash: F2F0F6325003147BD3116B25EC89EFF3BACDB45BA1F000036F902921D2DB68CD4685F5
                                          Function 00419D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D31
                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D45
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D52
                                          • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D61
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D73
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419719,00000000,00000000), ref: 00419D76
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ControlManager
                                          • String ID:
                                          • API String ID: 221034970-0
                                          • Opcode ID: 197637b26bbdd00f03ff7db36be43807083bab4a770c68d4e23c4aa016e90e1f
                                          • Instruction ID: 9e91e616c68215657d038be5823d6e3897a30bcf6e0764f9fcdf2292ad9a2404
                                          • Opcode Fuzzy Hash: 197637b26bbdd00f03ff7db36be43807083bab4a770c68d4e23c4aa016e90e1f
                                          • Instruction Fuzzy Hash: C5F062725003146BD2116B65EC89EBF3BACDB45BA5B00003AFA06A21D2DB68DD4696F9
                                          Function 00419D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419D96
                                          • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DAA
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DB7
                                          • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DC6
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DD8
                                          • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419697,00000000,00000000), ref: 00419DDB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Service$CloseHandle$Open$ControlManager
                                          • String ID:
                                          • API String ID: 221034970-0
                                          • Opcode ID: e355818817006b765bc9d302ee5cf97eebc986756fff16413e45bff3808d062c
                                          • Instruction ID: abda6543b9bae7672c93be1b0f3a8a56711a85df89096aceaf06b6c73a90a6e4
                                          • Opcode Fuzzy Hash: e355818817006b765bc9d302ee5cf97eebc986756fff16413e45bff3808d062c
                                          • Instruction Fuzzy Hash: C2F0C2325002146BD2116B24FC49EBF3AACDB45BA1B04003AFA06A21D2DB28CE4685F8
                                          Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                          • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                          • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Enum$InfoQueryValue
                                          • String ID: [regsplt]$DG
                                          • API String ID: 3554306468-1089238109
                                          • Opcode ID: bdfd4bea99a2a56e0bf69a035c0c9d08caa5f3d1df37628ba4533c7e0d6d2cae
                                          • Instruction ID: 09469598a034e88a10af8fecb22bb8a395a4bc85e225d04bcc93034602455e52
                                          • Opcode Fuzzy Hash: bdfd4bea99a2a56e0bf69a035c0c9d08caa5f3d1df37628ba4533c7e0d6d2cae
                                          • Instruction Fuzzy Hash: D8512E72108345AFD310EB61D995DEFB7ECEF84744F00493EB585D2191EB74EA088B6A
                                          Function 004426D4 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe,00000104), ref: 00442714
                                          • _free.LIBCMT ref: 004427DF
                                          • _free.LIBCMT ref: 004427E9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$FileModuleName
                                          • String ID: 8(V$C:\Users\user\Desktop\173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c4894091d6159.dat-decoded.exe
                                          • API String ID: 2506810119-1213518388
                                          • Opcode ID: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                          • Instruction ID: 3cff5717343a4e3a710d875500e96c622d597d45f5ef159119de948e6b6562f0
                                          • Opcode Fuzzy Hash: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                          • Instruction Fuzzy Hash: 3E31B371A00218AFEB21DF9ADD81D9EBBFCEB85314F54406BF804A7311D6B88E41DB59
                                          Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 00433519: EnterCriticalSection.KERNEL32(00470D18,?,00475D2C,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433524
                                            • Part of subcall function 00433519: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D2C,?,00000000,00000000), ref: 00433561
                                            • Part of subcall function 004338A5: __onexit.LIBCMT ref: 004338AB
                                          • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                            • Part of subcall function 004334CF: EnterCriticalSection.KERNEL32(00470D18,00475D2C,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 004334D9
                                            • Part of subcall function 004334CF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D2C,00456D97,?,00000000,00000000), ref: 0043350C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                          • String ID: [End of clipboard]$[Text copied to clipboard]$,]G$0]G
                                          • API String ID: 2974294136-753205382
                                          • Opcode ID: 84d5120d1790242da64ed9a6eb1f5c34e2201cb21d83ae33a80d74a94cbf0ed8
                                          • Instruction ID: 172b4b58ae75f988d3b3a293bba3f35c56e57800f0e036023c2a0486d145437f
                                          • Opcode Fuzzy Hash: 84d5120d1790242da64ed9a6eb1f5c34e2201cb21d83ae33a80d74a94cbf0ed8
                                          • Instruction Fuzzy Hash: 44219F31A002099ACB14FB75D8929EE7774AF54318F50403FF406771E2EF386E4A8A8D
                                          Function 00442CD2 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 63COMMON
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: X%W
                                          • API String ID: 0-2148709034
                                          • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                          • Instruction ID: c84c011be516b9a55b4d27d1f6be1bd7d35570b7e88518a67a440710abbdd315
                                          • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                          • Instruction Fuzzy Hash: 780126F26097153EF62016796CC1F6B230CDF823B8B34073BF421652E1EAA8CC01506C
                                          Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                          • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                          • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                          • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseCreateHandleSizeSleep
                                          • String ID: XdW
                                          • API String ID: 1958988193-1769000174
                                          • Opcode ID: b0d5ab9d96485228d01e653f577d9a536d0e325b1c446dee4fcf46d6e6ae2c45
                                          • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                          • Opcode Fuzzy Hash: b0d5ab9d96485228d01e653f577d9a536d0e325b1c446dee4fcf46d6e6ae2c45
                                          • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                          Function 0041CA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegisterClassExA.USER32(00000030), ref: 0041CA6C
                                          • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA87
                                          • GetLastError.KERNEL32 ref: 0041CA91
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ClassCreateErrorLastRegisterWindow
                                          • String ID: 0$MsgWindowClass
                                          • API String ID: 2877667751-2410386613
                                          • Opcode ID: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                          • Instruction ID: bff961279ea7560c1ff94ea7b7e8445e3758215821d07408c43b005d8adda241
                                          • Opcode Fuzzy Hash: 8e3fabf9294f4d788ff0190a2140b1e52dfb9086da58b750c2f99102573e0e65
                                          • Instruction Fuzzy Hash: 2D01E9B1D1431EAB8B01DFE9DCC4AEFBBBDBE49255B50452AE410B2200E7704A448BA5
                                          Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                          • CloseHandle.KERNEL32(?), ref: 00406A0F
                                          • CloseHandle.KERNEL32(?), ref: 00406A14
                                          Strings
                                          • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                          • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseHandle$CreateProcess
                                          • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                          • API String ID: 2922976086-4183131282
                                          • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                          • Instruction ID: 91eee74bc7ca160cae255ad37e89f65ee2415c19472677646c1a5aeb81073604
                                          • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                          • Instruction Fuzzy Hash: 8AF030B69002A9BACB30ABD69C0EFDF7F7DEBC6B11F00042AB615A6051D6745144CAB9
                                          Function 004425D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044258A,?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002), ref: 004425F9
                                          • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044260C
                                          • FreeLibrary.KERNEL32(00000000,?,?,?,0044258A,?,?,0044252A,?,0046DAE0,0000000C,00442681,?,00000002,00000000), ref: 0044262F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: AddressFreeHandleLibraryModuleProc
                                          • String ID: CorExitProcess$mscoree.dll
                                          • API String ID: 4061214504-1276376045
                                          • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                          • Instruction ID: 32bca75c9846dbfd0145c2b425e1dcbc158e0b1ec8d75d3d798e8c7ef3c4518a
                                          • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                          • Instruction Fuzzy Hash: 14F04430904209FBDB169FA5ED09B9EBFB5EB08756F4140B9F805A2251DF749D40CA9C
                                          Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,004745A8,00414DB5,00000000,00000000,00000001), ref: 00404AED
                                          • SetEvent.KERNEL32(0000030C), ref: 00404AF9
                                          • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404B04
                                          • CloseHandle.KERNEL32(00000000), ref: 00404B0D
                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                          • String ID: KeepAlive | Disabled
                                          • API String ID: 2993684571-305739064
                                          • Opcode ID: 1c0c748ad9fecb0dd528124c77293d7db353f6adbd4e84571b4901e68838a0a9
                                          • Instruction ID: d6da77504ed7f85403cc54e6f32b3900d2337039667ff8d97479a9328fe4a552
                                          • Opcode Fuzzy Hash: 1c0c748ad9fecb0dd528124c77293d7db353f6adbd4e84571b4901e68838a0a9
                                          • Instruction Fuzzy Hash: F8F0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890875B
                                          Function 00419F32 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                          • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F64
                                          • PlaySoundW.WINMM(00000000,00000000), ref: 00419F72
                                          • Sleep.KERNEL32(00002710), ref: 00419F79
                                          • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F82
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: PlaySound$HandleLocalModuleSleepTime
                                          • String ID: Alarm triggered
                                          • API String ID: 614609389-2816303416
                                          • Opcode ID: debb84a1251a9d4f253e7d3f2da0eb81be5ea948ed7eff08d43fd7d9de811cd2
                                          • Instruction ID: 0fe531f7edf44dbbc4d7c544cb5d4c76277d8d7fe89cd9bd4aa838a143c441bc
                                          • Opcode Fuzzy Hash: debb84a1251a9d4f253e7d3f2da0eb81be5ea948ed7eff08d43fd7d9de811cd2
                                          • Instruction Fuzzy Hash: 50E09A22A0422033862033BA7C0FC6F3E28DAC6B75B4100BFF905A21A2AE54081086FB
                                          Function 0041BE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF02), ref: 0041BE79
                                          • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BE86
                                          • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF02), ref: 0041BE93
                                          • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF02), ref: 0041BEA6
                                          Strings
                                          • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BE99
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Console$AttributeText$BufferHandleInfoScreen
                                          • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                          • API String ID: 3024135584-2418719853
                                          • Opcode ID: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                          • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                          • Opcode Fuzzy Hash: ebe4511383e55350cb7437214035f9f9245c880b4d311b5a557d4aca1c5ac6fb
                                          • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                          Function 0040AFBA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • TerminateThread.KERNEL32(Function_000099A9,00000000, W,pth_unenc,0040BF26,004742E0, W,?,pth_unenc), ref: 0040AFC9
                                          • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                          • TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: TerminateThread$HookUnhookWindows
                                          • String ID: W$pth_unenc
                                          • API String ID: 3123878439-1830269918
                                          • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                          • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                                          • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                          • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                                          Function 0044016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                          • Instruction ID: 5f24fa964153eb206603784754227e3bedeb81a57cd12874f4c303f17d5dd595
                                          • Opcode Fuzzy Hash: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                          • Instruction Fuzzy Hash: FD71C231900216DBEB218F55C884ABFBB75FF55360F14026BEE10A7281D7B89D61CBA9
                                          Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                          • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                          • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                          • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                          • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                          • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                          • String ID:
                                          • API String ID: 3525466593-0
                                          • Opcode ID: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                          • Instruction ID: 414678d8c61d87a8872ee73c425a8c4ab38aff0ef96490e16bc3f9b9534d1ba0
                                          • Opcode Fuzzy Hash: 79ee37443a4366c3bbea1b893000b12d050509257f9cb6c9a6ccb14135485088
                                          • Instruction Fuzzy Hash: 1861C270200301ABD720DF66C981BA77BE6BF44744F04412AF9058B786EBF8E8C5CB99
                                          Function 00443098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID:
                                          • API String ID: 269201875-0
                                          • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                          • Instruction ID: 1dbcf13812f0ad7c91f1b1cf961d24232ef3b5dad0ac29e3e9285c08b65e5f3f
                                          • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                          • Instruction Fuzzy Hash: 4A41D532E002049FEB24DF79C881A5EB3A5EF89718F15856EE915EB341DB35EE01CB84
                                          Function 0044FED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E3ED,?,00000000,?,00000001,?,?,00000001,0043E3ED,?), ref: 0044FF20
                                          • __alloca_probe_16.LIBCMT ref: 0044FF58
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044FFA9
                                          • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004399BF,?), ref: 0044FFBB
                                          • __freea.LIBCMT ref: 0044FFC4
                                            • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                          • String ID:
                                          • API String ID: 313313983-0
                                          • Opcode ID: 32ac3bd373e466217b4644ebee2ff76607fe703c26dcd28c1e1d2c5ecdebf3ce
                                          • Instruction ID: fd0d2a6e26420063bd1679c32ed8e9021f1b2be81e6a043fb7466d0fa567ef17
                                          • Opcode Fuzzy Hash: 32ac3bd373e466217b4644ebee2ff76607fe703c26dcd28c1e1d2c5ecdebf3ce
                                          • Instruction Fuzzy Hash: 9831FE32A0021AABEF248F65DC41EAF7BA5EB05314F05017BFC04D6290EB39DD58CBA4
                                          Function 0040B806 Relevance: 7.6, APIs: 2, Strings: 3, Instructions: 103sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          • W, xrefs: 0040B93B
                                          • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                          • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Sleep
                                          • String ID: [Cleared browsers logins and cookies.]$ W$Cleared browsers logins and cookies.
                                          • API String ID: 3472027048-882162890
                                          • Opcode ID: a28c998271a66f8567227a1897484aa15a4fe563e622933235ba73a641e0d975
                                          • Instruction ID: 8ec9c8031b8ac0664cfb8a22ca307bf710261ddd843e88104a77dac6ce00e7b7
                                          • Opcode Fuzzy Hash: a28c998271a66f8567227a1897484aa15a4fe563e622933235ba73a641e0d975
                                          • Instruction Fuzzy Hash: FA31891564C3816ACA11777514167EB6F958A93754F0884BFF8C4273E3DB7A480893EF
                                          Function 00411524 Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 93sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000, W), ref: 00412679
                                            • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                            • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                          • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseOpenQuerySleepValue
                                          • String ID: W$@CG$exepath$BG
                                          • API String ID: 4119054056-276380665
                                          • Opcode ID: efcd0af1208699037f09edad500f6ec840cfbf7b9737e1f52f1688804d5b7727
                                          • Instruction ID: 48aadeccb903c06d46a934e3c92f1fe58b0119fffb77d403c20537554d94cb98
                                          • Opcode Fuzzy Hash: efcd0af1208699037f09edad500f6ec840cfbf7b9737e1f52f1688804d5b7727
                                          • Instruction Fuzzy Hash: C721F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DE7D9D4581AD
                                          Function 0044E13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetEnvironmentStringsW.KERNEL32 ref: 0044E144
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E167
                                            • Part of subcall function 00446AFF: RtlAllocateHeap.NTDLL(00000000,00434403,?,?,00437227,?,?,?,?,?,0040CC87,00434403,?,?,?,?), ref: 00446B31
                                          • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E18D
                                          • _free.LIBCMT ref: 0044E1A0
                                          • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1AF
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                          • String ID:
                                          • API String ID: 336800556-0
                                          • Opcode ID: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
                                          • Instruction ID: 38685928f53d0fdec7f9771a1fbcf5508afe04d06d5fe5a1692e2fd93afee85f
                                          • Opcode Fuzzy Hash: 4bdc18aade4f5afa9f676aa8b8aa9a2318643a84ce2148a0478020116eae0cde
                                          • Instruction Fuzzy Hash: 8201B1726417117F73215ABB6C8CC7B6A6DEEC2BA2315013ABD04D6201DA788C0291B9
                                          Function 00446F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetLastError.KERNEL32(0000000A,0000000B,0000000A,00445359,00440A9B,00000000,?,?,?,?,00440C7E,00000000,0000000A,000000FF,0000000A,00000000), ref: 00446F48
                                          • _free.LIBCMT ref: 00446F7D
                                          • _free.LIBCMT ref: 00446FA4
                                          • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FB1
                                          • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FBA
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorLast$_free
                                          • String ID:
                                          • API String ID: 3170660625-0
                                          • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                          • Instruction ID: 6bd692df8320938abc1815071491dbd9703328d73d2f54107518a18b095bb187
                                          • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                          • Instruction Fuzzy Hash: 7401D13620C70067F61266757C85D2F266DDBC3B66727013FF958A2292EE2CCC0A452F
                                          Function 0041B37D Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                          • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                          • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                          • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041B3C8
                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3D3
                                          • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3DB
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CloseHandleOpen$FileImageName
                                          • String ID:
                                          • API String ID: 2951400881-0
                                          • Opcode ID: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                          • Instruction ID: bb9aee54fd4b55ef2446b45ef4d52834339351c189d8e7c886657dc3bd6b5f1d
                                          • Opcode Fuzzy Hash: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                          • Instruction Fuzzy Hash: 2FF04971204209ABD3106754AC4AFA7B27CDB40B96F000037FA61D22A1FFB4CCC146AE
                                          Function 0044F79D Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 0044F7B5
                                            • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                            • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                          • _free.LIBCMT ref: 0044F7C7
                                          • _free.LIBCMT ref: 0044F7D9
                                          • _free.LIBCMT ref: 0044F7EB
                                          • _free.LIBCMT ref: 0044F7FD
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                          • Instruction ID: 78b16e2cd2bc6e4547488c8f4e3d182d22cf8911186b8f77a4a783cd10448158
                                          • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                          • Instruction Fuzzy Hash: 9AF01232505600BBE620EB59E8C5C1773E9EB827147A9482BF408F7641CB3DFCC48A6C
                                          Function 004432E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00443305
                                            • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                            • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                          • _free.LIBCMT ref: 00443317
                                          • _free.LIBCMT ref: 0044332A
                                          • _free.LIBCMT ref: 0044333B
                                          • _free.LIBCMT ref: 0044334C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free$ErrorFreeHeapLast
                                          • String ID:
                                          • API String ID: 776569668-0
                                          • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                          • Instruction ID: 76e6a482bc9a1727a28655d1f271e5fc3ecde01143ea680422932a64b095765e
                                          • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                          • Instruction Fuzzy Hash: B9F05EF08075209FAB12AF2DBD014893BA0B786755306413BF41EB2772EB380D95DB8E
                                          Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                          • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                          • IsWindowVisible.USER32(?), ref: 004167A1
                                            • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B395
                                            • Part of subcall function 0041B37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3A8
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ProcessWindow$Open$TextThreadVisible
                                          • String ID: (FG
                                          • API String ID: 3142014140-2273637114
                                          • Opcode ID: 4740719a390b3ba9c6c78a6bb065e116e455b7124dca1e6ba6f29cda58230414
                                          • Instruction ID: 6337817d5adb2ff800b6fe7f9081d1b6a06097940366009b721c4d78a1625a25
                                          • Opcode Fuzzy Hash: 4740719a390b3ba9c6c78a6bb065e116e455b7124dca1e6ba6f29cda58230414
                                          • Instruction Fuzzy Hash: FD71E6321082414AC325FB61D8A5ADFB3E4AFE4319F50453EF58A530E1EF746A49C79A
                                          Function 0044D459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                          Download Yara Rule
                                          APIs
                                          • _strpbrk.LIBCMT ref: 0044D4A8
                                          • _free.LIBCMT ref: 0044D5C5
                                            • Part of subcall function 0043A854: IsProcessorFeaturePresent.KERNEL32(00000017,0043A826,00000000,0000000A,0000000A,00000000,0041AD67,00000022,?,?,0043A833,00000000,00000000,00000000,00000000,00000000), ref: 0043A856
                                            • Part of subcall function 0043A854: GetCurrentProcess.KERNEL32(C0000417,0000000A,00000000), ref: 0043A878
                                            • Part of subcall function 0043A854: TerminateProcess.KERNEL32(00000000), ref: 0043A87F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                          • String ID: *?$.
                                          • API String ID: 2812119850-3972193922
                                          • Opcode ID: 3ccd6c7c6263025d80bbf4df8e19646480fb990c35b4b1cfbff97afb24dbcef1
                                          • Instruction ID: 2d4433a3afc190a5690657b280c6536bac4d5ba0d1806d6c31be7b1549e3be36
                                          • Opcode Fuzzy Hash: 3ccd6c7c6263025d80bbf4df8e19646480fb990c35b4b1cfbff97afb24dbcef1
                                          • Instruction Fuzzy Hash: 7251B371E00109AFEF14DFA9C881AAEB7F5EF58318F24416FE854E7301DA799E018B54
                                          Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                            • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                            • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                            • Part of subcall function 0041B6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6BF
                                            • Part of subcall function 00404468: send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                          • String ID: XCG$XdW$>G
                                          • API String ID: 2334542088-3469679009
                                          • Opcode ID: 1cf10a0665e3775091c447b47999919f7d6db2360a149e937a3b08d82d1eeea5
                                          • Instruction ID: 7adbea44916697806613a62f0197ef330eb15d5bc584e2d7fa9685cab7613629
                                          • Opcode Fuzzy Hash: 1cf10a0665e3775091c447b47999919f7d6db2360a149e937a3b08d82d1eeea5
                                          • Instruction Fuzzy Hash: 865143321042405BC325F775D8A2AEF73D5AFE4308F50483FF84A671E2EE785949C69A
                                          Function 00404468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92synchronizationnetworkCOMMON
                                          Download Yara Rule
                                          APIs
                                          • send.WS2_32(00000304,00000000,00000000,00000000), ref: 004044FD
                                          • WaitForSingleObject.KERNEL32(00000330,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                          • SetEvent.KERNEL32(00000330,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: EventObjectSingleWaitsend
                                          • String ID: LAL
                                          • API String ID: 3963590051-3302426157
                                          • Opcode ID: 314c35cb7c3e0cdd1eb64e7b3ffc619a90be7dd70040102f0ebb66c8c0e95541
                                          • Instruction ID: 68c7e6670e460543dd9c105572fcb78fed3a06f13f8c8b410ea91b680b50408d
                                          • Opcode Fuzzy Hash: 314c35cb7c3e0cdd1eb64e7b3ffc619a90be7dd70040102f0ebb66c8c0e95541
                                          • Instruction Fuzzy Hash: 192143B29001196BDF04BBA5DC96DEE777CFF54358B00013EF916B21E1EA78A604D6A4
                                          Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                            • Part of subcall function 0041AB38: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?, W), ref: 0041AB5F
                                            • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                            • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                            • Part of subcall function 0041B61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                          • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                          • String ID: /sort "Visit Time" /stext "$8>G
                                          • API String ID: 368326130-2663660666
                                          • Opcode ID: f086c9f5da83253ac26c9d0f50b0703b97421a1697d77c47133a2e168226085d
                                          • Instruction ID: 7eda923cdb9144c2d3fbd791e6ccfb72172be11f11f2a08a3aebfaec1b2861d2
                                          • Opcode Fuzzy Hash: f086c9f5da83253ac26c9d0f50b0703b97421a1697d77c47133a2e168226085d
                                          • Instruction Fuzzy Hash: E5317331A0021456CB14FBB6DC969EE7775AF90318F40017FF906B71D2EF385A8ACA99
                                          Function 0040A876 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                          • wsprintfW.USER32 ref: 0040A905
                                            • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: EventLocalTimewsprintf
                                          • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                          • API String ID: 1497725170-1359877963
                                          • Opcode ID: f1131f2c5aa9efe0aa35bfe1aadc190762ac6710f9a6fccd412707abd6ba0ca2
                                          • Instruction ID: 8a7b6ca92c081f7f17d03b5bac770d689c192d548357e869dbc211d44db93d1d
                                          • Opcode Fuzzy Hash: f1131f2c5aa9efe0aa35bfe1aadc190762ac6710f9a6fccd412707abd6ba0ca2
                                          • Instruction Fuzzy Hash: BB118172400118AACB18BB56EC55CFE77BCAE48325F00013FF842620D1EF7C5A86C6E9
                                          Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                            • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                          • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                                          • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                                          • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CreateThread$LocalTime$wsprintf
                                          • String ID: Online Keylogger Started
                                          • API String ID: 112202259-1258561607
                                          • Opcode ID: 74bbf1dd48c5cc06e207f48c4eb53604144d0a493703acba44df512efce14c16
                                          • Instruction ID: 3917ec9fcb61ff418b23047d8298326e5ff7fd14d64f683336ff9c65b5464130
                                          • Opcode Fuzzy Hash: 74bbf1dd48c5cc06e207f48c4eb53604144d0a493703acba44df512efce14c16
                                          • Instruction Fuzzy Hash: DE01C4916003093AE62076368C87DBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                          Function 0044AA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A991,`@,0046DD28,0000000C), ref: 0044AAC9
                                          • GetLastError.KERNEL32(?,0044A991,`@,0046DD28,0000000C), ref: 0044AAD3
                                          • __dosmaperr.LIBCMT ref: 0044AAFE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseErrorHandleLast__dosmaperr
                                          • String ID: `@
                                          • API String ID: 2583163307-951712118
                                          • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                          • Instruction ID: 1bd3c876d7044edfb1a6812000b34c32b622226010ed5631802de8abdb52b33d
                                          • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                          • Instruction Fuzzy Hash: F8018E366446201AF7206674698577F77898B82738F2A027FF904972D2DE6DCCC5C19F
                                          Function 00419E89 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 50COMMON
                                          Download Yara Rule
                                          APIs
                                          • PathFileExistsW.SHLWAPI(00000000), ref: 00419EAE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExistsFilePath
                                          • String ID: TUF$alarm.wav$xIG
                                          • API String ID: 1174141254-2188790166
                                          • Opcode ID: 78a56aa9651363ee496944c99f45765e7eccc86df74fcc7e6b7799ffaff104a1
                                          • Instruction ID: 7a4fe07350b1461b8d7cab7706a536354aa1130be6e3c83a2e6414618e768e61
                                          • Opcode Fuzzy Hash: 78a56aa9651363ee496944c99f45765e7eccc86df74fcc7e6b7799ffaff104a1
                                          • Instruction Fuzzy Hash: 8B01802060420166C604B676D866AEE77458BC1719F40413FF89A966E2EF6CAEC6C2DF
                                          Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                          • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                          • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseEventHandleObjectSingleWait
                                          • String ID: Connection Timeout
                                          • API String ID: 2055531096-499159329
                                          • Opcode ID: 021faa9111ab8834074a9e6104490ab3bec6bd23ae7819230539afb67bbeabe2
                                          • Instruction ID: ea4abd021a31a941d528121f8d879e106695b0b6a7a7fd2d86c7f06b9a048df4
                                          • Opcode Fuzzy Hash: 021faa9111ab8834074a9e6104490ab3bec6bd23ae7819230539afb67bbeabe2
                                          • Instruction Fuzzy Hash: 7A01F5B1940B41AFD325BB3A9C4645ABBE4AB45315700053FF6D392BB1DA38E8408B5A
                                          Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                          Download Yara Rule
                                          APIs
                                          • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                          • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                            • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 004347DC
                                            • Part of subcall function 004347BD: _Yarn.LIBCPMT ref: 00434800
                                          • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                          • String ID: bad locale name
                                          • API String ID: 3628047217-1405518554
                                          • Opcode ID: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                          • Instruction ID: 69d9b4558c1556c2c918d31b5ea24064f6fee533cc814fb99c42b36f0b05f267
                                          • Opcode Fuzzy Hash: 2c952230bb5508a40ba9b400b3509c8dd800ec2376424fb743b9d3d13ecaa97f
                                          • Instruction Fuzzy Hash: 1AF08171400204EAC724FB23D853ACA73A49F54748F90497FB506214D2EF38A618CA8C
                                          Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                          Download Yara Rule
                                          APIs
                                          • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ExecuteShell
                                          • String ID: /C $cmd.exe$open
                                          • API String ID: 587946157-3896048727
                                          • Opcode ID: ee6d09c7a5be61fc2c77f0fe381f15b1933766d643093560b744fac4f5f657b7
                                          • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                          • Opcode Fuzzy Hash: ee6d09c7a5be61fc2c77f0fe381f15b1933766d643093560b744fac4f5f657b7
                                          • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                          Function 00448D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: __alldvrm$_strrchr
                                          • String ID:
                                          • API String ID: 1036877536-0
                                          • Opcode ID: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                          • Instruction ID: 63a095292c52d92af2bf19a392fdfa9b0d117a80b68c781492b1ecdde0b53e6f
                                          • Opcode Fuzzy Hash: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                          • Instruction Fuzzy Hash: 60A168729042469FFB21CF58C8817AEBBE2EF55314F24416FE5849B382DA3C8D45C759
                                          Function 00441A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                          • Instruction ID: 90b3d0a8f148eb65ba096d855dd205fb67a40d318d5acb0a54968c3478788488
                                          • Opcode Fuzzy Hash: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                          • Instruction Fuzzy Hash: 10412B71A00744AFF724AF78CC41B6ABBE8EF88714F10452FF511DB291E679A9458788
                                          Function 0041A98A Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON
                                          Download Yara Rule
                                          APIs
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: SystemTimes$Sleep__aulldiv
                                          • String ID:
                                          • API String ID: 188215759-0
                                          • Opcode ID: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                          • Instruction ID: 3b66203fd79088dfadce72ddbf0b0401c54eb4bd27628439374ba0e7aa9136f0
                                          • Opcode Fuzzy Hash: 92a2626712ce3f1da2ce83f7d896a05a413d351f08ea1f1dcdc4cf9aeb41d840
                                          • Instruction Fuzzy Hash: 9D215E725083009BC304DF65D98589FB7E8EFC8654F044A2EF589D3251EA34EA49CB63
                                          Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0041B6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B6F6
                                            • Part of subcall function 0041B6E6: GetWindowTextLengthW.USER32(00000000), ref: 0041B6FF
                                            • Part of subcall function 0041B6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B729
                                          • Sleep.KERNEL32(000001F4), ref: 00409C95
                                          • Sleep.KERNEL32(00000064), ref: 00409D1F
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Window$SleepText$ForegroundLength
                                          • String ID: [ $ ]
                                          • API String ID: 3309952895-93608704
                                          • Opcode ID: 92cb9d2a2d6bf6289d44fec474a7e000b4a54ab88b054bee990bed59a71b9a03
                                          • Instruction ID: a5f4dc9a3e016f43683dc3f70dfd76a68f9d753ffdb665cb1c6be196efeb7d0c
                                          • Opcode Fuzzy Hash: 92cb9d2a2d6bf6289d44fec474a7e000b4a54ab88b054bee990bed59a71b9a03
                                          • Instruction Fuzzy Hash: 4611C0325082005BD218FB25DC17AAEB7A8AF51708F40047FF542221E3EF39AE1986DF
                                          Function 00442D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                          Download Yara Rule
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID:
                                          • API String ID:
                                          • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                          • Instruction ID: e6f180ecc181abb5a77ec057abe27f8575e00a75e8bcf6cd4df5c03139e47140
                                          • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                          • Instruction Fuzzy Hash: E10121F2A092163EB62016797DD0DA7260DDF823B8374033BF421722D2EAA88C004068
                                          Function 004380F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • ___BuildCatchObject.LIBVCRUNTIME ref: 0043810F
                                            • Part of subcall function 0043805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043808B
                                            • Part of subcall function 0043805C: ___AdjustPointer.LIBCMT ref: 004380A6
                                          • _UnwindNestedFrames.LIBCMT ref: 00438124
                                          • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438135
                                          • CallCatchBlock.LIBVCRUNTIME ref: 0043815D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                          • String ID:
                                          • API String ID: 737400349-0
                                          • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                          • Instruction ID: 9a8277e88b86f5caaa8344fd0510e130f37262ecddc885b6c63592dc4fca678f
                                          • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                          • Instruction Fuzzy Hash: 09014032100208BBDF126E96CC45DEB7B69EF4C758F04500DFE4866121C739E861DBA8
                                          Function 00447210 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue), ref: 00447242
                                          • GetLastError.KERNEL32(?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446F91), ref: 0044724E
                                          • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471B7,00000000,00000000,00000000,00000000,?,004474E3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044725C
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LibraryLoad$ErrorLast
                                          • String ID:
                                          • API String ID: 3177248105-0
                                          • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                          • Instruction ID: 998cab178f840ac2caaf283a3a5c141d85ba25b8fcaedc139a46ff50caeaa73b
                                          • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                          • Instruction Fuzzy Hash: FC01D83261D7236BD7214B79AC44A577798BB05BA1B1106B2F906E3241D768D802C6D8
                                          Function 0041B61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B633
                                          • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B647
                                          • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B66C
                                          • CloseHandle.KERNEL32(00000000), ref: 0041B67A
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: File$CloseCreateHandleReadSize
                                          • String ID:
                                          • API String ID: 3919263394-0
                                          • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                          • Instruction ID: 0a6fce4b3becde4f67ebc64a516323d43c368a538d14007d95c0a1c89629aad3
                                          • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                          • Instruction Fuzzy Hash: B3F0F6B12053047FE6101B25FC85FBF375CDB867A5F00023EFC01A22D1DA658C459179
                                          Function 0041850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetSystemMetrics.USER32(0000004C), ref: 00418519
                                          • GetSystemMetrics.USER32(0000004D), ref: 0041851F
                                          • GetSystemMetrics.USER32(0000004E), ref: 00418525
                                          • GetSystemMetrics.USER32(0000004F), ref: 0041852B
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: MetricsSystem
                                          • String ID:
                                          • API String ID: 4116985748-0
                                          • Opcode ID: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                          • Instruction ID: 928f1b056b10b768f566869b0c9e39fed015f0adb742d9b99f9daccd71f82e50
                                          • Opcode Fuzzy Hash: 5cbd94679aa6c8e7ceff70e29103114ee131790299e318eb9a9968d7a4031cfb
                                          • Instruction Fuzzy Hash: 96F0D672B043216BCA00EA798C4556FBB97DFD02A4F25083FE6059B341DEB8EC4687D9
                                          Function 00441EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                          Download Yara Rule
                                          APIs
                                          • __startOneArgErrorHandling.LIBCMT ref: 00441F6D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorHandling__start
                                          • String ID: pow
                                          • API String ID: 3213639722-2276729525
                                          • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                          • Instruction ID: c296867054112a427edbdd16b3baf579c6faf9d8481746a729c2ad46b2c40409
                                          • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                          • Instruction Fuzzy Hash: 2A517B61A1620196F7117714C98137F2BD0DB50741F688D6BF085423F9DF3D8CDA9A4E
                                          Function 0044DB34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                          Download Yara Rule
                                          APIs
                                          • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB59
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Info
                                          • String ID: $fD
                                          • API String ID: 1807457897-3092946448
                                          • Opcode ID: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                          • Instruction ID: 070357306f4c5095a08430c9ceac02bf5c2973ae7142a422f036c1757655e3b4
                                          • Opcode Fuzzy Hash: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                          • Instruction Fuzzy Hash: C241FA7090439C9AEB218F24CCC4BF6BBB9DF45308F1404EEE59A87242D279AE45DF65
                                          Function 00417BDC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                          Download Yara Rule
                                          APIs
                                          • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417C08
                                            • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                          • SHCreateMemStream.SHLWAPI(00000000), ref: 00417C55
                                            • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                            • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CCC), ref: 004177CE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                          • String ID: image/jpeg
                                          • API String ID: 1291196975-3785015651
                                          • Opcode ID: 8f3b30371828e1907736ebf26ac10b00a12ebc6a0bae61ebf375912b50c4f4ef
                                          • Instruction ID: 3dbe320e324aa312c145f712c1d391ec03548c85c69305bb74e69b0931de3aa8
                                          • Opcode Fuzzy Hash: 8f3b30371828e1907736ebf26ac10b00a12ebc6a0bae61ebf375912b50c4f4ef
                                          • Instruction Fuzzy Hash: 13315C75508300AFC301AF65C884DAFBBF9FF8A704F000A2EF94597251DB79A905CBA6
                                          Function 004508DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B39,?,00000050,?,?,?,?,?), ref: 004509B9
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: ACP$OCP
                                          • API String ID: 0-711371036
                                          • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                          • Instruction ID: 7e3e8aaac6bfe0b7539266298c93f9b0706a3ab6a9e9f394231f134d2b8bf5b7
                                          • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                          • Instruction Fuzzy Hash: 072138EAA04201A6F7348B558801B9B7396AF54B23F164826EC49D730BF739DD49C358
                                          Function 00417CD9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                          Download Yara Rule
                                          APIs
                                          • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417CF4
                                            • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C1B,00000000,?,?,?,?,00000000), ref: 004177B6
                                          • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00417D19
                                            • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C71,00000000,?,?), ref: 00417827
                                            • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CCC), ref: 004177CE
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                          • String ID: image/png
                                          • API String ID: 1291196975-2966254431
                                          • Opcode ID: 3eb8dd80f54a72a5a0a9ed13ccec69a705e73992219fab643a786ff0acabb055
                                          • Instruction ID: e3b7944e5392015f30009faa46d0af48502643625c308f0969f1fef2cb3c76d4
                                          • Opcode Fuzzy Hash: 3eb8dd80f54a72a5a0a9ed13ccec69a705e73992219fab643a786ff0acabb055
                                          • Instruction Fuzzy Hash: AA21A135204211AFC300AF61CC88CAFBBBDEFCA714F10052EF90693151DB399945CBA6
                                          Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                          • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                          Strings
                                          • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LocalTime
                                          • String ID: KeepAlive | Enabled | Timeout:
                                          • API String ID: 481472006-1507639952
                                          • Opcode ID: 88f98e07624f0cdc5f5406798babcb05efc51bc28ea43e2309e29ec04d21d8db
                                          • Instruction ID: fa495feba5854bec2644a8330ceabc5ae1d4c14ac10d4033695aa89a80f4fa5c
                                          • Opcode Fuzzy Hash: 88f98e07624f0cdc5f5406798babcb05efc51bc28ea43e2309e29ec04d21d8db
                                          • Instruction Fuzzy Hash: 5A2126A1A042806BC310FB6AD80A76B7B9497D1319F44407EF849532E2DB3C5999CB9F
                                          Function 004336EC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMONLIBRARYCODE
                                          Download Yara Rule
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID:
                                          • String ID: LG$XG
                                          • API String ID: 0-1482930923
                                          • Opcode ID: c15126115d7b74b818ce8cc4bfc83f894c4a74ec01747284a75d25f55942686d
                                          • Instruction ID: b803d8f2fb0d60b71c32d24796bf113498d2ea24005d64aa96dbf80bf0db992b
                                          • Opcode Fuzzy Hash: c15126115d7b74b818ce8cc4bfc83f894c4a74ec01747284a75d25f55942686d
                                          • Instruction Fuzzy Hash: CE11A3B1D01654AACB20EFA998017CFB7A55F09725F14D06BED18EF281D3B9DB408B98
                                          Function 0041A686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LocalTime
                                          • String ID: | $%02i:%02i:%02i:%03i
                                          • API String ID: 481472006-2430845779
                                          • Opcode ID: 9b95a0a033af4e6b3b54331b4a103e7e6270c3a9d1cca9dd8a72674f32e816fd
                                          • Instruction ID: d205b4ebe2adc0156a37935a73d605e8b5d9817e81284f53efab16a15aec7ece
                                          • Opcode Fuzzy Hash: 9b95a0a033af4e6b3b54331b4a103e7e6270c3a9d1cca9dd8a72674f32e816fd
                                          • Instruction Fuzzy Hash: 80114C725082045AC704EBA5D8568AF73E8AB94708F10053FFC85931E1EF38DA84C69E
                                          Function 004125EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412612
                                          • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412648
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: QueryValue
                                          • String ID: TUF
                                          • API String ID: 3660427363-3431404234
                                          • Opcode ID: ea05bdfc88d730103140c1813835b768b0c4990d0bb52d9cb4e5ffcfc942b32d
                                          • Instruction ID: 62a4949b47554db758ef5e9b715c6ec4cc130d120bf99ac1ec1555789b8052d8
                                          • Opcode Fuzzy Hash: ea05bdfc88d730103140c1813835b768b0c4990d0bb52d9cb4e5ffcfc942b32d
                                          • Instruction Fuzzy Hash: BC01A7B6A00108BFDB049B95DD46EFF7ABDDF44240F10007AF901E2251E6749F009664
                                          Function 0040B95C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 49threadCOMMON
                                          Download Yara Rule
                                          APIs
                                          • CreateThread.KERNEL32(00000000,00000000,Function_0000B806,00000000,00000000,00000000), ref: 0040B9C3
                                            • Part of subcall function 0041246E: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                            • Part of subcall function 0041246E: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                            • Part of subcall function 0041246E: RegCloseKey.KERNEL32(?,?,?,0040B996,004660E0), ref: 004124A4
                                            • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                            • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?, W), ref: 004124F5
                                            • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CloseOpenQueryValue$CreateThread
                                          • String ID: W$`F
                                          • API String ID: 3520877709-1405278311
                                          • Opcode ID: d961a89bf5f709506fd819609016054ed950b758ba64f6afdf8bb4b0b1854337
                                          • Instruction ID: e7c06676a50877b745d9b19ecfbe3f02a9f7dad16726040ce6249d743dc32a62
                                          • Opcode Fuzzy Hash: d961a89bf5f709506fd819609016054ed950b758ba64f6afdf8bb4b0b1854337
                                          • Instruction Fuzzy Hash: A0F0F461611224A7C710AB666D418AF6B9DCE83794720843FF905B7391EB789D0182ED
                                          Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                          Download Yara Rule
                                          APIs
                                            • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                            • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                            • Part of subcall function 0041A686: GetLocalTime.KERNEL32(00000000), ref: 0041A6A0
                                          • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                          • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                          • String ID: Online Keylogger Stopped
                                          • API String ID: 1623830855-1496645233
                                          • Opcode ID: fe6e18c6252a0bee342ef941cd7d9d06612fb05f1df7cb5e72a2689b447559bc
                                          • Instruction ID: 3c154674506c802d119dc10506b29c5389a087cae46ba36945c53301bfe6088f
                                          • Opcode Fuzzy Hash: fe6e18c6252a0bee342ef941cd7d9d06612fb05f1df7cb5e72a2689b447559bc
                                          • Instruction Fuzzy Hash: CC01D431A043019BDB25BB35C80B7AEBBB59B45315F80407FE481225D2EB7999A6C3DB
                                          Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                          Download Yara Rule
                                          APIs
                                          • waveInPrepareHeader.WINMM(0057FD90,00000020,?,?,00000000,00475B70,00473EE8,?,00000000,00401913), ref: 00401747
                                          • waveInAddBuffer.WINMM(0057FD90,00000020,?,00000000,00401913), ref: 0040175D
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: wave$BufferHeaderPrepare
                                          • String ID: T=G
                                          • API String ID: 2315374483-379896819
                                          • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                          • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                          • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                          • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                          Function 00447790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • IsValidLocale.KERNEL32(00000000,j=D,00000000,00000001,?,?,00443D6A,?,?,?,?,00000004), ref: 004477DC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: LocaleValid
                                          • String ID: IsValidLocaleName$j=D
                                          • API String ID: 1901932003-3128777819
                                          • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                          • Instruction ID: d075984350fdfa8650c9f53b231b8a0b142c4dacf6ed37e79753978632a381d4
                                          • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                          • Instruction Fuzzy Hash: B7F0E930A45218F7EA116B61DC06F5EBB54CF49B11F50407AFD056A293CB796D0195DC
                                          Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: H_prolog
                                          • String ID: T=G$T=G
                                          • API String ID: 3519838083-3732185208
                                          • Opcode ID: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                          • Instruction ID: 37a3980bbf64332544f5ef03d086655580814226aad47650f393c0c18fea351b
                                          • Opcode Fuzzy Hash: ece060f59eec47038b163f6730b9b4774a9df75ced3df6c836fae2af045d366e
                                          • Instruction Fuzzy Hash: BCF0E971A00220ABC714BB65C80669EB774EF41369F10827FB416B72E1CBBD5D04D65D
                                          Function 00442A84 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 34COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: _free
                                          • String ID: X%W
                                          • API String ID: 269201875-2148709034
                                          • Opcode ID: e0c07418694881cfdc192a5642d2fc592dcbedec7190f7d1bd2a6cce8c9e4082
                                          • Instruction ID: f0cf83c002af9be10e85dbd72a17715ce9ce30914f7b4b99b2350c0725a7183d
                                          • Opcode Fuzzy Hash: e0c07418694881cfdc192a5642d2fc592dcbedec7190f7d1bd2a6cce8c9e4082
                                          • Instruction Fuzzy Hash: 8CE0222260291130F23A623F6D0676B06458BC233CF19032BF825F62D1EFAC884395AE
                                          Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyState.USER32(00000011), ref: 0040AD5B
                                            • Part of subcall function 00409B10: GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                            • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                            • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                            • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                            • Part of subcall function 00409B10: GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                            • Part of subcall function 00409B10: ToUnicodeEx.USER32(0047414C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
                                            • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                            • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                          • String ID: [AltL]$[AltR]
                                          • API String ID: 2738857842-2658077756
                                          • Opcode ID: 0fd097a0a4b99d70b02a08e9004214b89ee8ccd3163f9cf7526c1a47b2b50f16
                                          • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                          • Opcode Fuzzy Hash: 0fd097a0a4b99d70b02a08e9004214b89ee8ccd3163f9cf7526c1a47b2b50f16
                                          • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                          Function 00448803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                          Download Yara Rule
                                          APIs
                                          • _free.LIBCMT ref: 00448825
                                            • Part of subcall function 00446AC5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A), ref: 00446ADB
                                            • Part of subcall function 00446AC5: GetLastError.KERNEL32(0000000A,?,0044FA50,0000000A,00000000,0000000A,00000000,?,0044FCF4,0000000A,00000007,0000000A,?,00450205,0000000A,0000000A), ref: 00446AED
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ErrorFreeHeapLast_free
                                          • String ID: `@$`@
                                          • API String ID: 1353095263-20545824
                                          • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                          • Instruction ID: 46705ffcfacdd7a720b29fb61e5cb4af2d59a6418439a2947ca99394172970e0
                                          • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                          • Instruction Fuzzy Hash: B9E06D761006059F8720DE6DD400A86B7E4EF95360320852AE89DE3310DB32E812CB40
                                          Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                          Download Yara Rule
                                          APIs
                                          • GetKeyState.USER32(00000012), ref: 0040ADB5
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: State
                                          • String ID: [CtrlL]$[CtrlR]
                                          • API String ID: 1649606143-2446555240
                                          • Opcode ID: 8f256fbae12a6d1972e20e0d193ff0540306bf2bf736503aba8af0ee0077a29a
                                          • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                          • Opcode Fuzzy Hash: 8f256fbae12a6d1972e20e0d193ff0540306bf2bf736503aba8af0ee0077a29a
                                          • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                          Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                          Download Yara Rule
                                          APIs
                                          • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0, W,?,pth_unenc), ref: 00412988
                                          • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998
                                          Strings
                                          • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteOpenValue
                                          • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                          • API String ID: 2654517830-1051519024
                                          • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                          • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                          • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                          • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                          Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                          Download Yara Rule
                                          APIs
                                          • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                                          • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: DeleteDirectoryFileRemove
                                          • String ID: pth_unenc
                                          • API String ID: 3325800564-4028850238
                                          • Opcode ID: 2e8d6704218f96b318e7a73bad0b28a6b8edcd2455483e95ffe0dafda84626ef
                                          • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                                          • Opcode Fuzzy Hash: 2e8d6704218f96b318e7a73bad0b28a6b8edcd2455483e95ffe0dafda84626ef
                                          • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                                          Function 00411699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                          Download Yara Rule
                                          APIs
                                          • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                          • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ObjectProcessSingleTerminateWait
                                          • String ID: pth_unenc
                                          • API String ID: 1872346434-4028850238
                                          • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                          • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                                          • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                          • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                                          Function 0044E0EB Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                                          Download Yara Rule
                                          APIs
                                          Strings
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: CommandLine
                                          • String ID: 8(V
                                          • API String ID: 3253501508-174864209
                                          • Opcode ID: 2702c5f118dd3839dbc4dd886e2cdb728e5ea39e06e223ea52f31eba807d30e7
                                          • Instruction ID: 13d69598d350970c9b91df73096b24a53109b9b907d0ea4b726438dfa3130670
                                          • Opcode Fuzzy Hash: 2702c5f118dd3839dbc4dd886e2cdb728e5ea39e06e223ea52f31eba807d30e7
                                          • Instruction Fuzzy Hash: 09B0027D8157009FC7419F79BD5D1443BA0B75861339094B5DC19C7B35DA358085EF18
                                          Function 0043FA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                          Download Yara Rule
                                          APIs
                                          • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FAF4
                                          • GetLastError.KERNEL32 ref: 0043FB02
                                          • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB5D
                                          Memory Dump Source
                                          • Source File: 00000000.00000002.4449255792.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                          • Associated: 00000000.00000002.4449244651.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449283786.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449299834.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                          • Associated: 00000000.00000002.4449356451.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                          Joe Sandbox IDA Plugin
                                          • Snapshot File: hcaresult_0_2_400000_173378939937efea07b4bc781b0b774c712430f5494a016d81092444624b7a38c48940.jbxd
                                          Yara matches
                                          Similarity
                                          • API ID: ByteCharMultiWide$ErrorLast
                                          • String ID:
                                          • API String ID: 1717984340-0
                                          • Opcode ID: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                          • Instruction ID: ecac45699e256c48587d6f27f66036641a8fb520bb473c9b2adecd150689d728
                                          • Opcode Fuzzy Hash: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                          • Instruction Fuzzy Hash: 65414871E00206AFCF258F65C854ABBFBA4EF09310F1451BAF858973A1DB38AD09C759