Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
IXCbn4ZcdS.exe

Overview

General Information

Sample name:IXCbn4ZcdS.exe
renamed because original name is a hash value
Original sample name:5dcbcb9f5b780bb07e8eb4e98313fc5d0b222823ac94d338b3c3e3fb3efb77e5.exe
Analysis ID:1573905
MD5:b1a62f3fd3a9a4a06c6bbffbb1cbb463
SHA1:f3954f2ddbbe05daa9eeb3e9a9e0bb661f925e76
SHA256:5dcbcb9f5b780bb07e8eb4e98313fc5d0b222823ac94d338b3c3e3fb3efb77e5
Tags:181-131-217-244exeuser-JAMESWT_MHT
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Contains functionality to bypass UAC (CMSTPLUA)
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Drops large PE files
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Installs a global keyboard hook
Abnormal high CPU Usage
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Contains functionality for read data from the clipboard
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a window is minimized (may be used to check if an application is visible)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Launches processes in debugging mode, may be used to hinder debugging
May sleep (evasive loops) to hinder dynamic analysis
PE file contains executable resources (Code or Archives)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • IXCbn4ZcdS.exe (PID: 6244 cmdline: "C:\Users\user\Desktop\IXCbn4ZcdS.exe" MD5: B1A62F3FD3A9A4A06C6BBFFBB1CBB463)
    • IXCbn4ZcdS.exe (PID: 3348 cmdline: "C:\Users\user\Desktop\IXCbn4ZcdS.exe" MD5: B1A62F3FD3A9A4A06C6BBFFBB1CBB463)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["navegacionseguracol24vip.org:30201:0"], "Assigned name": "neptuno", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "mzxbmzmznxbcvzmnxvcnzbcx-T9CO3X", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "registros.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de pantalla", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "registro", "Keylog file max size": ""}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000005.00000002.3860807197.0000000000A7A000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
    00000000.00000002.1650019041.0000000002300000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
      00000000.00000002.1650019041.0000000002300000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000000.00000002.1650019041.0000000002300000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          00000000.00000002.1650019041.0000000002300000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6aaf8:$a1: Remcos restarted by watchdog!
          • 0x6b070:$a3: %02i:%02i:%02i:%03i
          Click to see the 22 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          0.2.IXCbn4ZcdS.exe.23d0000.2.raw.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
            0.2.IXCbn4ZcdS.exe.23d0000.2.raw.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              0.2.IXCbn4ZcdS.exe.23d0000.2.raw.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                0.2.IXCbn4ZcdS.exe.23d0000.2.raw.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                • 0x6b6f8:$a1: Remcos restarted by watchdog!
                • 0x6bc70:$a3: %02i:%02i:%02i:%03i
                0.2.IXCbn4ZcdS.exe.23d0000.2.raw.unpackREMCOS_RAT_variantsunknownunknown
                • 0x65994:$str_a1: C:\Windows\System32\cmd.exe
                • 0x65910:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x65910:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                • 0x65e10:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                • 0x66410:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                • 0x65a04:$str_b2: Executing file:
                • 0x6683c:$str_b3: GetDirectListeningPort
                • 0x66200:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                • 0x66380:$str_b7: \update.vbs
                • 0x65a2c:$str_b9: Downloaded file:
                • 0x65a18:$str_b10: Downloading file:
                • 0x65abc:$str_b12: Failed to upload file:
                • 0x66804:$str_b13: StartForward
                • 0x66824:$str_b14: StopForward
                • 0x662d8:$str_b15: fso.DeleteFile "
                • 0x6626c:$str_b16: On Error Resume Next
                • 0x66308:$str_b17: fso.DeleteFolder "
                • 0x65aac:$str_b18: Uploaded file:
                • 0x65a6c:$str_b19: Unable to delete:
                • 0x662a0:$str_b20: while fso.FileExists("
                • 0x65f49:$str_c0: [Firefox StoredLogins not found]
                Click to see the 31 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: CurrentVersion Autorun Keys Modification
                Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: C:\Users\user\Videos\ElectronArts\Bin\ElectronArtsCLI.exe, EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\IXCbn4ZcdS.exe, ProcessId: 6244, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ElectronArtsCLI

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-12T17:52:16.783769+010020327761Malware Command and Control Activity Detected192.168.2.949709181.131.217.24430201TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-12T17:52:27.054987+010020327771Malware Command and Control Activity Detected181.131.217.24430201192.168.2.949709TCP
                2024-12-12T17:54:31.751110+010020327771Malware Command and Control Activity Detected181.131.217.24430201192.168.2.949709TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-12-12T17:52:28.865468+010028033043Unknown Traffic192.168.2.949710178.237.33.5080TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: IXCbn4ZcdS.exeAvira: detected
                Antivirus detection for URL or domain
                Source: navegacionseguracol24vip.orgAvira URL Cloud: Label: malware
                Found malware configuration
                Source: 0.2.IXCbn4ZcdS.exe.2300000.1.raw.unpackMalware Configuration Extractor: Remcos {"Host:Port:Password": ["navegacionseguracol24vip.org:30201:0"], "Assigned name": "neptuno", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Enable", "Hide file": "Disable", "Mutex": "mzxbmzmznxbcvzmnxvcnzbcx-T9CO3X", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "registros.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Capturas de pantalla", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "registro", "Keylog file max size": ""}
                Multi AV Scanner detection for submitted file
                Source: IXCbn4ZcdS.exeReversingLabs: Detection: 42%
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.IXCbn4ZcdS.exe.23d0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.IXCbn4ZcdS.exe.690000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.IXCbn4ZcdS.exe.690000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.IXCbn4ZcdS.exe.2300000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.IXCbn4ZcdS.exe.2300000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.IXCbn4ZcdS.exe.23d0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3860807197.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1650019041.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1650078049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: IXCbn4ZcdS.exe PID: 6244, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: IXCbn4ZcdS.exe PID: 3348, type: MEMORYSTR
                AI detected suspicious sample
                Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006C293A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,5_2_006C293A
                Source: IXCbn4ZcdS.exe, 00000000.00000002.1650019041.0000000002300000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_3e024125-0

                Exploits

                barindex
                Yara detected UAC Bypass using CMSTP
                Source: Yara matchFile source: 0.2.IXCbn4ZcdS.exe.23d0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.IXCbn4ZcdS.exe.690000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.IXCbn4ZcdS.exe.690000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.IXCbn4ZcdS.exe.2300000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.IXCbn4ZcdS.exe.2300000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.IXCbn4ZcdS.exe.23d0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1650019041.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1650078049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: IXCbn4ZcdS.exe PID: 6244, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: IXCbn4ZcdS.exe PID: 3348, type: MEMORYSTR

                Privilege Escalation

                barindex
                Contains functionality to bypass UAC (CMSTPLUA)
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00696764 _wcslen,CoGetObject,5_2_00696764
                Source: IXCbn4ZcdS.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: Binary string: c:\installer\incremental installer7\dev\AutoRun7\Release\autorun7.pdb source: IXCbn4ZcdS.exe, ElectronArtsCLI.exe.0.dr
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_0040A0D8 FindNextFileA,FindClose,FindFirstFileA,Sleep,DeleteFileA,FindNextFileA,FindClose,0_2_0040A0D8
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_0040A0A0 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,Sleep,DeleteFileA,FindNextFileA,FindClose,0_2_0040A0A0
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_004151A0 FindFirstFileA,FindClose,GetFileAttributesA,SetFileAttributesA,SetLastError,CopyFileA,GetLastError,SetLastError,GetLastError,GetFileAttributesA,SetFileAttributesA,0_2_004151A0
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00414290 FindFirstFileA,FindClose,FindClose,0_2_00414290
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00414340 FindFirstFileA,FindClose,0_2_00414340
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00414380 FindFirstFileA,FindClose,FindFirstFileA,FindClose,CreateDirectoryA,RemoveDirectoryA,Sleep,FindFirstFileA,FindClose,RemoveDirectoryA,Sleep,0_2_00414380
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_004145D0 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,0_2_004145D0
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00415590 FindFirstFileA,CreateDirectoryA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,0_2_00415590
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00414626 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,0_2_00414626
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00414697 FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,0_2_00414697
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_004156B5 FindFirstFileA,CreateDirectoryA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,0_2_004156B5
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00415858 FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,0_2_00415858
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00413800 FindFirstFileA,FindClose,0_2_00413800
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_004158B9 CreateDirectoryA,CreateDirectoryA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,0_2_004158B9
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00414A00 FindFirstFileA,FindClose,Sleep,Sleep,Sleep,GetFileAttributesA,SetFileAttributesA,DeleteFileA,0_2_00414A00
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00414C50 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00414C50
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00414C5E FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00414C5E
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_0040AC10 FindFirstFileA,FindNextFileA,FindClose,0_2_0040AC10
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00414D36 FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00414D36
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00413E20 GetCurrentDirectoryA,FindFirstFileA,FindClose,SetCurrentDirectoryA,FindFirstFileA,FindClose,CreateProcessA,Sleep,SetLastError,CreateProcessA,GetExitCodeProcess,Sleep,Sleep,SetCurrentDirectoryA,GetLastError,FormatMessageA,LocalFree,0_2_00413E20
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00417E90 FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,0_2_00417E90
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00409F71 FindFirstFileA,GetFileAttributesA,SetFileAttributesA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,Sleep,DeleteFileA,FindNextFileA,FindClose,0_2_00409F71
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00414F30 FindFirstFileA,FindClose,FindClose,0_2_00414F30
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00413800 FindFirstFileA,FindClose,5_2_00413800
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_0040A0A0 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,Sleep,DeleteFileA,FindNextFileA,FindClose,5_2_0040A0A0
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_004158B9 CreateDirectoryA,CreateDirectoryA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,5_2_004158B9
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_0040A12D FindNextFileA,FindClose,FindFirstFileA,Sleep,DeleteFileA,FindNextFileA,FindClose,5_2_0040A12D
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_004151A0 FindFirstFileA,FindClose,GetFileAttributesA,SetFileAttributesA,SetLastError,CopyFileA,GetLastError,SetLastError,GetLastError,GetFileAttributesA,SetFileAttributesA,5_2_004151A0
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00414A00 FindFirstFileA,FindClose,Sleep,Sleep,Sleep,GetFileAttributesA,SetFileAttributesA,DeleteFileA,5_2_00414A00
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00414380 FindFirstFileA,FindClose,FindFirstFileA,FindClose,CreateDirectoryA,RemoveDirectoryA,Sleep,FindFirstFileA,FindClose,RemoveDirectoryA,Sleep,5_2_00414380
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00414C50 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,RemoveDirectoryA,5_2_00414C50
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00414C5E FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,RemoveDirectoryA,5_2_00414C5E
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_004145D0 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,5_2_004145D0
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00415590 FindFirstFileA,CreateDirectoryA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,5_2_00415590
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00413E20 GetCurrentDirectoryA,FindFirstFileA,FindClose,SetCurrentDirectoryA,FindFirstFileA,FindClose,CreateProcessA,Sleep,SetLastError,CreateProcessA,GetExitCodeProcess,Sleep,Sleep,SetCurrentDirectoryA,GetLastError,FormatMessageA,LocalFree,5_2_00413E20
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00414F30 FindFirstFileA,FindClose,FindClose,5_2_00414F30
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_004157F3 CreateDirectoryA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,5_2_004157F3
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_0069B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,5_2_0069B335
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006AB42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,5_2_006AB42F
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_0069B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,5_2_0069B53A
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006DD5E9 FindFirstFileExA,5_2_006DD5E9
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006989A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,5_2_006989A9
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00696AC2 FindFirstFileW,FindNextFileW,5_2_00696AC2
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00697A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,5_2_00697A8C
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006A8C69 FindFirstFileW,FindNextFileW,FindNextFileW,5_2_006A8C69
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00698DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,5_2_00698DA7
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00696F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,5_2_00696F06

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2032776 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Checkin : 192.168.2.9:49709 -> 181.131.217.244:30201
                Source: Network trafficSuricata IDS: 2032777 - Severity 1 - ET MALWARE Remcos 3.x Unencrypted Server Response : 181.131.217.244:30201 -> 192.168.2.9:49709
                C2 URLs / IPs found in malware configuration
                Source: Malware configuration extractorURLs: navegacionseguracol24vip.org
                Source: global trafficTCP traffic: 192.168.2.9:49709 -> 181.131.217.244:30201
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: Joe Sandbox ViewIP Address: 181.131.217.244 181.131.217.244
                Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.9:49710 -> 178.237.33.50:80
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_0069455B WaitForSingleObject,SetEvent,recv,5_2_0069455B
                Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                Source: global trafficDNS traffic detected: DNS query: navegacionseguracol24vip.org
                Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                Source: IXCbn4ZcdS.exe, 00000005.00000003.1739587146.0000000000AD9000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net//
                Source: IXCbn4ZcdS.exe, 00000005.00000003.1739587146.0000000000AB8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                Source: IXCbn4ZcdS.exe, 00000000.00000002.1650019041.0000000002300000.00000004.00001000.00020000.00000000.sdmp, IXCbn4ZcdS.exe, 00000000.00000002.1650078049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, IXCbn4ZcdS.exe, 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
                Source: IXCbn4ZcdS.exe, 00000005.00000003.1739587146.0000000000AB8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp4
                Source: IXCbn4ZcdS.exe, 00000005.00000002.3860857652.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp, IXCbn4ZcdS.exe, 00000005.00000003.2823269336.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp, IXCbn4ZcdS.exe, 00000005.00000003.1739587146.0000000000AB8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpL
                Source: IXCbn4ZcdS.exe, 00000005.00000003.1739587146.0000000000AB8000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpn.net/
                Source: IXCbn4ZcdS.exeString found in binary or memory: http://www.microsoft.c

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to register a low level keyboard hook
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006999E4 SetWindowsHookExA 0000000D,006999D0,000000005_2_006999E4
                Installs a global keyboard hook
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\IXCbn4ZcdS.exeJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006A59C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,5_2_006A59C6
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006A59C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,5_2_006A59C6
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006A59C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,5_2_006A59C6
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00699B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,5_2_00699B10
                Source: Yara matchFile source: 0.2.IXCbn4ZcdS.exe.23d0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.IXCbn4ZcdS.exe.690000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.IXCbn4ZcdS.exe.690000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.IXCbn4ZcdS.exe.2300000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.IXCbn4ZcdS.exe.2300000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.IXCbn4ZcdS.exe.23d0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000000.00000002.1650019041.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1650078049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: IXCbn4ZcdS.exe PID: 6244, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: IXCbn4ZcdS.exe PID: 3348, type: MEMORYSTR

                E-Banking Fraud

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.IXCbn4ZcdS.exe.23d0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.IXCbn4ZcdS.exe.690000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.IXCbn4ZcdS.exe.690000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.IXCbn4ZcdS.exe.2300000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.IXCbn4ZcdS.exe.2300000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.IXCbn4ZcdS.exe.23d0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3860807197.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1650019041.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1650078049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: IXCbn4ZcdS.exe PID: 6244, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: IXCbn4ZcdS.exe PID: 3348, type: MEMORYSTR

                Spam, unwanted Advertisements and Ransom Demands

                barindex
                Contains functionalty to change the wallpaper
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006ABB77 SystemParametersInfoW,5_2_006ABB77

                System Summary

                barindex
                Malicious sample detected (through community Yara rule)
                Source: 0.2.IXCbn4ZcdS.exe.23d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.IXCbn4ZcdS.exe.23d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.IXCbn4ZcdS.exe.23d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 5.2.IXCbn4ZcdS.exe.690000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 5.2.IXCbn4ZcdS.exe.690000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 5.2.IXCbn4ZcdS.exe.690000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 5.2.IXCbn4ZcdS.exe.690000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 5.2.IXCbn4ZcdS.exe.690000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 5.2.IXCbn4ZcdS.exe.690000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.IXCbn4ZcdS.exe.2300000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.IXCbn4ZcdS.exe.2300000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.IXCbn4ZcdS.exe.2300000.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.IXCbn4ZcdS.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.IXCbn4ZcdS.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.IXCbn4ZcdS.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 0.2.IXCbn4ZcdS.exe.23d0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 0.2.IXCbn4ZcdS.exe.23d0000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 0.2.IXCbn4ZcdS.exe.23d0000.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000000.00000002.1650019041.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000000.00000002.1650019041.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000000.00000002.1650019041.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: 00000000.00000002.1650078049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: 00000000.00000002.1650078049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
                Source: 00000000.00000002.1650078049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                Source: Process Memory Space: IXCbn4ZcdS.exe PID: 6244, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Source: Process Memory Space: IXCbn4ZcdS.exe PID: 3348, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                Drops large PE files
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeFile dump: ElectronArtsCLI.exe.0.dr 979567344Jump to dropped file
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeProcess Stats: CPU usage > 49%
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_0040A580 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,GetLastError,FormatMessageA,LocalFree,0_2_0040A580
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_0041383D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,GetLastError,FormatMessageA,LocalFree,0_2_0041383D
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_0041383D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,GetLastError,FormatMessageA,LocalFree,5_2_0041383D
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006A58B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,5_2_006A58B9
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_0041E1000_2_0041E100
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_004091A50_2_004091A5
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_004242500_2_00424250
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_0040721E0_2_0040721E
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_004086380_2_00408638
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_004076C00_2_004076C0
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_004066A60_2_004066A6
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_004077540_2_00407754
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_0040977E0_2_0040977E
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_004077280_2_00407728
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_004077D80_2_004077D8
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_004077E60_2_004077E6
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_004077880_2_00407788
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_004087BD0_2_004087BD
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_004078380_2_00407838
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_0040899B0_2_0040899B
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00407AB10_2_00407AB1
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00407B7D0_2_00407B7D
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00407BE20_2_00407BE2
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00407BEF0_2_00407BEF
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00408C690_2_00408C69
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00406C000_2_00406C00
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00406D2E0_2_00406D2E
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00415E700_2_00415E70
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00429E1C0_2_00429E1C
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_0040899B5_2_0040899B
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_0041F4175_2_0041F417
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006AD0715_2_006AD071
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006E20D25_2_006E20D2
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006CD0985_2_006CD098
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006C71505_2_006C7150
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006C61AA5_2_006C61AA
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006B62545_2_006B6254
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006C13775_2_006C1377
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006C651C5_2_006C651C
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006AE5DF5_2_006AE5DF
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006DC7395_2_006DC739
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006B67CB5_2_006B67CB
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006C67C65_2_006C67C6
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006CC9DD5_2_006CC9DD
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006C2A495_2_006C2A49
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006C6A8D5_2_006C6A8D
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006CCC0C5_2_006CCC0C
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006C6D485_2_006C6D48
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006C4D225_2_006C4D22
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006B6E735_2_006B6E73
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006D0E205_2_006D0E20
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006CCE3B5_2_006CCE3B
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006A2F455_2_006A2F45
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006E2F005_2_006E2F00
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006B6FAD5_2_006B6FAD
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: String function: 00429783 appears 38 times
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: String function: 00428B04 appears 109 times
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: String function: 006C3FB0 appears 55 times
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: String function: 004046E0 appears 170 times
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: String function: 00691F66 appears 50 times
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: String function: 006920E7 appears 41 times
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: String function: 004173F0 appears 41 times
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: String function: 0042AF1E appears 33 times
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: String function: 006C38A5 appears 41 times
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: String function: 00417430 appears 36 times
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: String function: 00424A8C appears 261 times
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: String function: 00427E30 appears 54 times
                Source: IXCbn4ZcdS.exeStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
                Source: IXCbn4ZcdS.exeStatic PE information: Resource name: RT_STRING type: PDP-11 demand-paged pure executable not stripped
                Source: ElectronArtsCLI.exe.0.drStatic PE information: Resource name: RT_STRING type: DOS executable (COM, 0x8C-variant)
                Source: ElectronArtsCLI.exe.0.drStatic PE information: Resource name: RT_STRING type: PDP-11 demand-paged pure executable not stripped
                Source: IXCbn4ZcdS.exeBinary or memory string: OriginalFilename vs IXCbn4ZcdS.exe
                Source: IXCbn4ZcdS.exe, 00000000.00000002.1650205690.00000000025CE000.00000004.00001000.00020000.00000000.sdmpBinary or memory string: OriginalFilenameAutoRun7.exeP vs IXCbn4ZcdS.exe
                Source: IXCbn4ZcdS.exe, 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAutoRun7.exeP vs IXCbn4ZcdS.exe
                Source: IXCbn4ZcdS.exe, 00000005.00000002.3853306344.00000000005A9000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameAutoRun7.exeP vs IXCbn4ZcdS.exe
                Source: IXCbn4ZcdS.exeBinary or memory string: OriginalFilenameAutoRun7.exeP vs IXCbn4ZcdS.exe
                Source: IXCbn4ZcdS.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                Source: 0.2.IXCbn4ZcdS.exe.23d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.IXCbn4ZcdS.exe.23d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.IXCbn4ZcdS.exe.23d0000.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 5.2.IXCbn4ZcdS.exe.690000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 5.2.IXCbn4ZcdS.exe.690000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 5.2.IXCbn4ZcdS.exe.690000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 5.2.IXCbn4ZcdS.exe.690000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 5.2.IXCbn4ZcdS.exe.690000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 5.2.IXCbn4ZcdS.exe.690000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.IXCbn4ZcdS.exe.2300000.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.IXCbn4ZcdS.exe.2300000.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.IXCbn4ZcdS.exe.2300000.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.IXCbn4ZcdS.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.IXCbn4ZcdS.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.IXCbn4ZcdS.exe.2300000.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 0.2.IXCbn4ZcdS.exe.23d0000.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 0.2.IXCbn4ZcdS.exe.23d0000.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 0.2.IXCbn4ZcdS.exe.23d0000.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000000.00000002.1650019041.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000000.00000002.1650019041.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000000.00000002.1650019041.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: 00000000.00000002.1650078049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: 00000000.00000002.1650078049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                Source: 00000000.00000002.1650078049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                Source: Process Memory Space: IXCbn4ZcdS.exe PID: 6244, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: Process Memory Space: IXCbn4ZcdS.exe PID: 3348, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@3/3@2/2
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00411010 GetLastError,FormatMessageA,LocalFree,0_2_00411010
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_0040A580 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,GetLastError,FormatMessageA,LocalFree,0_2_0040A580
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_0041383D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,GetLastError,FormatMessageA,LocalFree,0_2_0041383D
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_0041383D GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,ExitWindowsEx,GetLastError,FormatMessageA,LocalFree,5_2_0041383D
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006A6AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,5_2_006A6AB7
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_0040F650 GetModuleHandleA,GetProcAddress,SetLastError,SetLastError,SetLastError,GetDiskFreeSpaceA,0_2_0040F650
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_0069E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,5_2_0069E219
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_0040F900 CoInitialize,CoCreateInstance,MultiByteToWideChar,0_2_0040F900
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_004013D0 LoadResource,LockResource,SizeofResource,0_2_004013D0
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006A9BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,5_2_006A9BC4
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeFile created: C:\Users\user\Videos\ElectronArtsJump to behavior
                Source: IXCbn4ZcdS.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: IXCbn4ZcdS.exeReversingLabs: Detection: 42%
                Source: IXCbn4ZcdS.exeString found in binary or memory: &Non-Installation typique - Rpertoire par dfaut *Installation avance - Choix du rpertoireInternet Explorer %s est actuellemen
                Source: IXCbn4ZcdS.exeString found in binary or memory: &Non-Installation typique - R
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeFile read: C:\Users\user\Desktop\IXCbn4ZcdS.exeJump to behavior
                Source: unknownProcess created: C:\Users\user\Desktop\IXCbn4ZcdS.exe "C:\Users\user\Desktop\IXCbn4ZcdS.exe"
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeProcess created: C:\Users\user\Desktop\IXCbn4ZcdS.exe "C:\Users\user\Desktop\IXCbn4ZcdS.exe"
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeProcess created: C:\Users\user\Desktop\IXCbn4ZcdS.exe "C:\Users\user\Desktop\IXCbn4ZcdS.exe"Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: crowdstrikeceoisextragay.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: sentinelisabadedrtrynexttimemaybe.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: aclayers.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: sfc.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: sfc_os.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: wininet.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                Source: IXCbn4ZcdS.exeStatic file information: File size 2457600 > 1048576
                Source: IXCbn4ZcdS.exeStatic PE information: section name: RT_CURSOR
                Source: IXCbn4ZcdS.exeStatic PE information: section name: RT_BITMAP
                Source: IXCbn4ZcdS.exeStatic PE information: section name: RT_ICON
                Source: IXCbn4ZcdS.exeStatic PE information: section name: RT_MENU
                Source: IXCbn4ZcdS.exeStatic PE information: section name: RT_DIALOG
                Source: IXCbn4ZcdS.exeStatic PE information: section name: RT_STRING
                Source: IXCbn4ZcdS.exeStatic PE information: section name: RT_ACCELERATOR
                Source: IXCbn4ZcdS.exeStatic PE information: section name: RT_GROUP_ICON
                Source: IXCbn4ZcdS.exeStatic PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x200000
                Source: IXCbn4ZcdS.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                Source: Binary string: c:\installer\incremental installer7\dev\AutoRun7\Release\autorun7.pdb source: IXCbn4ZcdS.exe, ElectronArtsCLI.exe.0.dr
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_004148D0 SetErrorMode,SetErrorMode,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,0_2_004148D0
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00424366 push eax; ret 0_2_00424374
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00424376 push eax; ret 0_2_0042439C
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00428B3F push ecx; ret 0_2_00428B4F
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00427E30 push eax; ret 0_2_00427E4E
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00428B3F push ecx; ret 5_2_00428B4F
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00427E30 push eax; ret 5_2_00427E4E
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_004096DD push esp; retn 0000h5_2_004096E6
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006E67E0 push eax; ret 5_2_006E67FE
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006EB9DD push esi; ret 5_2_006EB9E6
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006E5EAF push ecx; ret 5_2_006E5EC2
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006C3FF6 push ecx; ret 5_2_006C4009
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00696128 ShellExecuteW,URLDownloadToFileW,5_2_00696128
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeFile created: C:\Users\user\Videos\ElectronArts\Bin\ElectronArtsCLI.exeJump to dropped file
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006A9BC4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,5_2_006A9BC4
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ElectronArtsCLIJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ElectronArtsCLIJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00422CCA IsIconic,GetWindowPlacement,GetWindowRect,0_2_00422CCA
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006ABCE3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,5_2_006ABCE3
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                Malware Analysis System Evasion

                barindex
                Delayed program exit found
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_0069E54F Sleep,ExitProcess,5_2_0069E54F
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,5_2_006A98C2
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeWindow / User API: threadDelayed 1954Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeWindow / User API: threadDelayed 7658Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeWindow / User API: foregroundWindowGot 1753Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeDropped PE file which has not been started: C:\Users\user\Videos\ElectronArts\Bin\ElectronArtsCLI.exeJump to dropped file
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeAPI coverage: 0.3 %
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeAPI coverage: 8.4 %
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exe TID: 1760Thread sleep count: 161 > 30Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exe TID: 1760Thread sleep time: -80500s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exe TID: 2072Thread sleep count: 1954 > 30Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exe TID: 2072Thread sleep time: -5862000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exe TID: 2072Thread sleep count: 7658 > 30Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exe TID: 2072Thread sleep time: -22974000s >= -30000sJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_0040A0D8 FindNextFileA,FindClose,FindFirstFileA,Sleep,DeleteFileA,FindNextFileA,FindClose,0_2_0040A0D8
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_0040A0A0 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,Sleep,DeleteFileA,FindNextFileA,FindClose,0_2_0040A0A0
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_004151A0 FindFirstFileA,FindClose,GetFileAttributesA,SetFileAttributesA,SetLastError,CopyFileA,GetLastError,SetLastError,GetLastError,GetFileAttributesA,SetFileAttributesA,0_2_004151A0
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00414290 FindFirstFileA,FindClose,FindClose,0_2_00414290
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00414340 FindFirstFileA,FindClose,0_2_00414340
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00414380 FindFirstFileA,FindClose,FindFirstFileA,FindClose,CreateDirectoryA,RemoveDirectoryA,Sleep,FindFirstFileA,FindClose,RemoveDirectoryA,Sleep,0_2_00414380
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_004145D0 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,0_2_004145D0
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00415590 FindFirstFileA,CreateDirectoryA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,0_2_00415590
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00414626 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,0_2_00414626
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00414697 FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,0_2_00414697
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_004156B5 FindFirstFileA,CreateDirectoryA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,0_2_004156B5
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00415858 FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,0_2_00415858
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00413800 FindFirstFileA,FindClose,0_2_00413800
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_004158B9 CreateDirectoryA,CreateDirectoryA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,0_2_004158B9
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00414A00 FindFirstFileA,FindClose,Sleep,Sleep,Sleep,GetFileAttributesA,SetFileAttributesA,DeleteFileA,0_2_00414A00
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00414C50 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00414C50
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00414C5E FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00414C5E
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_0040AC10 FindFirstFileA,FindNextFileA,FindClose,0_2_0040AC10
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00414D36 FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,RemoveDirectoryA,0_2_00414D36
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00413E20 GetCurrentDirectoryA,FindFirstFileA,FindClose,SetCurrentDirectoryA,FindFirstFileA,FindClose,CreateProcessA,Sleep,SetLastError,CreateProcessA,GetExitCodeProcess,Sleep,Sleep,SetCurrentDirectoryA,GetLastError,FormatMessageA,LocalFree,0_2_00413E20
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00417E90 FindFirstFileA,DeleteFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,0_2_00417E90
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00409F71 FindFirstFileA,GetFileAttributesA,SetFileAttributesA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,Sleep,DeleteFileA,FindNextFileA,FindClose,0_2_00409F71
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00414F30 FindFirstFileA,FindClose,FindClose,0_2_00414F30
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00413800 FindFirstFileA,FindClose,5_2_00413800
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_0040A0A0 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,Sleep,DeleteFileA,FindNextFileA,FindClose,5_2_0040A0A0
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_004158B9 CreateDirectoryA,CreateDirectoryA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,5_2_004158B9
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_0040A12D FindNextFileA,FindClose,FindFirstFileA,Sleep,DeleteFileA,FindNextFileA,FindClose,5_2_0040A12D
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_004151A0 FindFirstFileA,FindClose,GetFileAttributesA,SetFileAttributesA,SetLastError,CopyFileA,GetLastError,SetLastError,GetLastError,GetFileAttributesA,SetFileAttributesA,5_2_004151A0
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00414A00 FindFirstFileA,FindClose,Sleep,Sleep,Sleep,GetFileAttributesA,SetFileAttributesA,DeleteFileA,5_2_00414A00
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00414380 FindFirstFileA,FindClose,FindFirstFileA,FindClose,CreateDirectoryA,RemoveDirectoryA,Sleep,FindFirstFileA,FindClose,RemoveDirectoryA,Sleep,5_2_00414380
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00414C50 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,RemoveDirectoryA,5_2_00414C50
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00414C5E FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,RemoveDirectoryA,5_2_00414C5E
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_004145D0 FindFirstFileA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,5_2_004145D0
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00415590 FindFirstFileA,CreateDirectoryA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,5_2_00415590
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00413E20 GetCurrentDirectoryA,FindFirstFileA,FindClose,SetCurrentDirectoryA,FindFirstFileA,FindClose,CreateProcessA,Sleep,SetLastError,CreateProcessA,GetExitCodeProcess,Sleep,Sleep,SetCurrentDirectoryA,GetLastError,FormatMessageA,LocalFree,5_2_00413E20
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00414F30 FindFirstFileA,FindClose,FindClose,5_2_00414F30
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_004157F3 CreateDirectoryA,FindNextFileA,FindClose,FindFirstFileA,FindNextFileA,FindClose,5_2_004157F3
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_0069B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,5_2_0069B335
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006AB42F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,5_2_006AB42F
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_0069B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,5_2_0069B53A
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006DD5E9 FindFirstFileExA,5_2_006DD5E9
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006989A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,5_2_006989A9
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00696AC2 FindFirstFileW,FindNextFileW,5_2_00696AC2
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00697A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,5_2_00697A8C
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006A8C69 FindFirstFileW,FindNextFileW,FindNextFileW,5_2_006A8C69
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00698DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,5_2_00698DA7
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_00696F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,5_2_00696F06
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_0042407C VirtualQuery,GetSystemInfo,VirtualQuery,VirtualAlloc,VirtualProtect,0_2_0042407C
                Source: IXCbn4ZcdS.exe, 00000005.00000003.1739770993.0000000000AF0000.00000004.00000001.00020000.00000000.sdmp, IXCbn4ZcdS.exe, 00000005.00000003.2823521495.0000000000AF0000.00000004.00000001.00020000.00000000.sdmp, IXCbn4ZcdS.exe, 00000005.00000002.3860857652.0000000000AF0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWW
                Source: IXCbn4ZcdS.exe, 00000005.00000002.3860807197.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, IXCbn4ZcdS.exe, 00000005.00000003.1739770993.0000000000AF0000.00000004.00000001.00020000.00000000.sdmp, IXCbn4ZcdS.exe, 00000005.00000003.2823521495.0000000000AF0000.00000004.00000001.00020000.00000000.sdmp, IXCbn4ZcdS.exe, 00000005.00000002.3860857652.0000000000AF0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeAPI call chain: ExitProcess graph end nodegraph_5-58909
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeSystem information queried: KernelDebuggerInformationJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006CA65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_006CA65D
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_004148D0 SetErrorMode,SetErrorMode,LoadLibraryA,GetProcAddress,FreeLibrary,SetErrorMode,0_2_004148D0
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006D2554 mov eax, dword ptr fs:[00000030h]5_2_006D2554
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006DE92E GetProcessHeap,5_2_006DE92E
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeProcess created: C:\Users\user\Desktop\IXCbn4ZcdS.exe "C:\Users\user\Desktop\IXCbn4ZcdS.exe"Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006C4168 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,5_2_006C4168
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006CA65D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_006CA65D
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006C3B44 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,5_2_006C3B44
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006C3CD7 SetUnhandledExceptionFilter,5_2_006C3CD7

                HIPS / PFW / Operating System Protection Evasion

                barindex
                Found direct / indirect Syscall (likely to bypass EDR)
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtOpenKeyEx: Direct from: 0x7FF90818F3F4Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtQuerySystemInformation: Direct from: 0x7FF908164B5EJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtNotifyChangeKey: Direct from: 0x7FF90818F314Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtSetInformationProcess: Direct from: 0x77537B2EJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtCreateFile: Direct from: 0x7FF90818DAA4Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtSetInformationProcess: Direct from: 0x7FF90818D384Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtSetValueKey: Direct from: 0x7FF90818DBF4Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtEnumerateValueKey: Direct from: 0x7FF90818D264Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtOpenKey: Direct from: 0x7FF90818D244Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtSetInformationThread: Direct from: 0x775363F9Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtClose: Direct from: 0x7FF90818D1E4
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtQueryValueKey: Direct from: 0x7FF90818D2E4Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtResumeThread: Direct from: 0x7FF90818DA44Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtQueryVolumeInformationFile: Direct from: 0x7FF90818D924Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtAllocateVirtualMemory: Direct from: 0x7FF90818D304Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtMapViewOfSection: Direct from: 0x7FF90818D504Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtCreateThreadEx: Direct from: 0x7FF90818E814Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtCreateMutant: Direct from: 0x7FF90818E654Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtOpenFile: Direct from: 0x7FF90818D664Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtUnmapViewOfSection: Direct from: 0x7FF90818D544Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtQueryInformationProcess: Direct from: 0x7FF90818D324Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtEnumerateKey: Direct from: 0x7FF90818D644Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtQueryInformationToken: Direct from: 0x7FF90818D424Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtQueueApcThread: Direct from: 0x7FF90818D8A4Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtSetTimerEx: Direct from: 0x7FF9081905D4Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtQuerySystemInformation: Direct from: 0x775363E1Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtSetSecurityObject: Direct from: 0x7FF9081904D4Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtQuerySystemInformation: Direct from: 0x7FF90818D6C4Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtQueryAttributesFile: Direct from: 0x7FF90818D7A4Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtSetInformationFile: Direct from: 0x7FF90818D4E4Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtSetInformationThread: Direct from: 0x7FF90818D1A4Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtOpenSection: Direct from: 0x7FF90818D6E4Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtProtectVirtualMemory: Direct from: 0x7FF90818DA04Jump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeNtCreateKey: Direct from: 0x7FF90818D3A4Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeMemory written: C:\Users\user\Desktop\IXCbn4ZcdS.exe base: 690000 value starts with: 4D5AJump to behavior
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe5_2_006A0F36
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006A8754 mouse_event,5_2_006A8754
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00413910 ImpersonateSelf,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,AllocateAndInitializeSid,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,GetLastError,RevertToSelf,0_2_00413910
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_00413910 ImpersonateSelf,GetCurrentThread,OpenThreadToken,GetLastError,GetCurrentProcess,OpenProcessToken,AllocateAndInitializeSid,LocalAlloc,InitializeSecurityDescriptor,GetLengthSid,LocalAlloc,InitializeAcl,AddAccessAllowedAce,SetSecurityDescriptorDacl,SetSecurityDescriptorGroup,SetSecurityDescriptorOwner,IsValidSecurityDescriptor,AccessCheck,GetLastError,RevertToSelf,0_2_00413910
                Source: IXCbn4ZcdS.exe, 00000005.00000002.3860807197.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, IXCbn4ZcdS.exe, 00000005.00000002.3860857652.0000000000AE1000.00000004.00000001.00020000.00000000.sdmp, IXCbn4ZcdS.exe, 00000005.00000003.2823269336.0000000000AE1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Program Manager
                Source: IXCbn4ZcdS.exe, 00000005.00000002.3860857652.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp, IXCbn4ZcdS.exe, 00000005.00000003.2823269336.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp, registros.dat.5.drBinary or memory string: [2024/12/12 11:52:31 Program Manager]
                Source: IXCbn4ZcdS.exe, 00000005.00000003.2823269336.0000000000AE1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Program ManagerEM
                Source: IXCbn4ZcdS.exe, 00000005.00000003.2823269336.0000000000AE1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Program ManagerO
                Source: IXCbn4ZcdS.exe, 00000005.00000002.3860807197.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, registros.dat.5.drBinary or memory string: [2024/12/12 11:52:16 Program Manager]
                Source: IXCbn4ZcdS.exe, 00000005.00000002.3860857652.0000000000AE1000.00000004.00000001.00020000.00000000.sdmp, IXCbn4ZcdS.exe, 00000005.00000003.2823269336.0000000000AE1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                Source: IXCbn4ZcdS.exe, 00000005.00000002.3860857652.0000000000AE1000.00000004.00000001.00020000.00000000.sdmp, IXCbn4ZcdS.exe, 00000005.00000003.2823269336.0000000000AE1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Program Manager6
                Source: IXCbn4ZcdS.exe, 00000005.00000002.3860857652.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp, IXCbn4ZcdS.exe, 00000005.00000003.2823269336.0000000000AB8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: [%04i/%02i/%02i %02i:%02i:%02i Program Manager]
                Source: IXCbn4ZcdS.exe, 00000005.00000003.2823269336.0000000000AE1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Program Managernet//
                Source: IXCbn4ZcdS.exe, 00000005.00000002.3860807197.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, IXCbn4ZcdS.exe, 00000005.00000002.3860857652.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp, IXCbn4ZcdS.exe, 00000005.00000003.2823269336.0000000000AB8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: [2024/12/12 11:52:37 Program Manager]
                Source: IXCbn4ZcdS.exe, 00000005.00000002.3860807197.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, IXCbn4ZcdS.exe, 00000005.00000002.3860857652.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp, IXCbn4ZcdS.exe, 00000005.00000003.2823269336.0000000000AB8000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                Source: IXCbn4ZcdS.exe, 00000005.00000002.3860857652.0000000000AE1000.00000004.00000001.00020000.00000000.sdmp, IXCbn4ZcdS.exe, 00000005.00000003.2823269336.0000000000AE1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Program Managerpl
                Source: IXCbn4ZcdS.exe, 00000005.00000002.3860857652.0000000000AE1000.00000004.00000001.00020000.00000000.sdmp, IXCbn4ZcdS.exe, 00000005.00000003.2823269336.0000000000AE1000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Program Manager|
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006C3E0A cpuid 5_2_006C3E0A
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: GetLocaleInfoA,0_2_004300E6
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: GetLocaleInfoA,0_2_00432551
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: EnumSystemLocalesA,0_2_00430605
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: EnumSystemLocalesA,0_2_0043063C
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: EnumSystemLocalesA,0_2_004306C2
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoA,GetLocaleInfoA,MultiByteToWideChar,0_2_0043469C
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: GetLocaleInfoA,_TranslateName,_TranslateName,IsValidCodePage,IsValidLocale,0_2_00430717
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: GetLocaleInfoW,GetLastError,GetLocaleInfoW,GetLocaleInfoW,WideCharToMultiByte,GetLocaleInfoA,0_2_004347CC
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: GetThreadLocale,GetLocaleInfoA,GetACP,0_2_00422895
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: GetLocaleInfoA,5_2_00432551
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: GetLocaleInfoA,5_2_0069E679
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: EnumSystemLocalesW,5_2_006D70AE
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: GetLocaleInfoW,5_2_006E10BA
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,5_2_006E11E3
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: GetLocaleInfoW,5_2_006E12EA
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,5_2_006E13B7
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: GetLocaleInfoW,5_2_006D7597
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,5_2_006E0A7F
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: EnumSystemLocalesW,5_2_006E0CF7
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: EnumSystemLocalesW,5_2_006E0D42
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: EnumSystemLocalesW,5_2_006E0DDD
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,5_2_006E0E6A
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_0042B2AC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,0_2_0042B2AC
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 5_2_006AA7A2 GetUserNameW,5_2_006AA7A2
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_0042D862 __lock,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,WideCharToMultiByte,0_2_0042D862
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: 0_2_004135C0 GetVersionExA,GetVersionExA,GetVersionExA,0_2_004135C0

                Stealing of Sensitive Information

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.IXCbn4ZcdS.exe.23d0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.IXCbn4ZcdS.exe.690000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.IXCbn4ZcdS.exe.690000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.IXCbn4ZcdS.exe.2300000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.IXCbn4ZcdS.exe.2300000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.IXCbn4ZcdS.exe.23d0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3860807197.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1650019041.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1650078049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: IXCbn4ZcdS.exe PID: 6244, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: IXCbn4ZcdS.exe PID: 3348, type: MEMORYSTR
                Contains functionality to steal Chrome passwords or cookies
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data5_2_0069B21B
                Contains functionality to steal Firefox passwords or cookies
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\5_2_0069B335
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: \key3.db5_2_0069B335

                Remote Access Functionality

                barindex
                Yara detected Remcos RAT
                Source: Yara matchFile source: 0.2.IXCbn4ZcdS.exe.23d0000.2.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.IXCbn4ZcdS.exe.690000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.IXCbn4ZcdS.exe.690000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.IXCbn4ZcdS.exe.2300000.1.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.IXCbn4ZcdS.exe.2300000.1.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 0.2.IXCbn4ZcdS.exe.23d0000.2.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000005.00000002.3860807197.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1650019041.0000000002300000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000000.00000002.1650078049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: IXCbn4ZcdS.exe PID: 6244, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: IXCbn4ZcdS.exe PID: 3348, type: MEMORYSTR
                Source: C:\Users\user\Desktop\IXCbn4ZcdS.exeCode function: cmd.exe5_2_00695042

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API                		1
                DLL Side-Loading                		1
                Abuse Elevation Control Mechanism                		1
                Disable or Modify Tools                		1
                OS Credential Dumping                		2
                System Time Discovery                		Remote Services11
                Archive Collected Data                		12
                Ingress Tool Transfer                		Exfiltration Over Other Network Medium1
                System Shutdown/Reboot
                CredentialsDomainsDefault Accounts12
                Command and Scripting Interpreter                		1
                Windows Service                		1
                DLL Side-Loading                		1
                Deobfuscate/Decode Files or Information                		211
                Input Capture                		1
                Account Discovery                		Remote Desktop Protocol211
                Input Capture                		2
                Encrypted Channel                		Exfiltration Over Bluetooth1
                Defacement
                Email AddressesDNS ServerDomain Accounts2
                Service Execution                		1
                Registry Run Keys / Startup Folder                		1
                Bypass User Account Control                		1
                Abuse Elevation Control Mechanism                		2
                Credentials In Files                		1
                System Service Discovery                		SMB/Windows Admin Shares3
                Clipboard Data                		1
                Non-Standard Port                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                Access Token Manipulation                		2
                Obfuscated Files or Information                		NTDS2
                File and Directory Discovery                		Distributed Component Object ModelInput Capture2
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
                Windows Service                		1
                DLL Side-Loading                		LSA Secrets25
                System Information Discovery                		SSHKeylogging12
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC Scripts112
                Process Injection                		1
                Bypass User Account Control                		Cached Domain Credentials31
                Security Software Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup Items1
                Registry Run Keys / Startup Folder                		1
                Masquerading                		DCSync2
                Virtualization/Sandbox Evasion                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job2
                Virtualization/Sandbox Evasion                		Proc Filesystem2
                Process Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                Access Token Manipulation                		/etc/passwd and /etc/shadow11
                Application Window Discovery                		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron112
                Process Injection                		Network Sniffing1
                System Owner/User Discovery                		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                IXCbn4ZcdS.exe42%ReversingLabsWin32.Infostealer.Tinba
                IXCbn4ZcdS.exe100%AviraTR/Crypt.XPACK.Gen3

                Dropped Files

                No Antivirus matches

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                navegacionseguracol24vip.org100%Avira URL Cloudmalware

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                navegacionseguracol24vip.org
                		181.131.217.244
                		truefalse
                  		high
                  geoplugin.net
                  		178.237.33.50
                  		truefalse
                    		high

                    Contacted URLs

                    NameMaliciousAntivirus DetectionReputation
                    http://geoplugin.net/json.gpfalse
                      		high
                      navegacionseguracol24vip.orgtrue
                      • Avira URL Cloud: malware
                      		unknown

                      URLs from Memory and Binaries

                      NameSourceMaliciousAntivirus DetectionReputation
                      http://geoplugin.net/json.gp4IXCbn4ZcdS.exe, 00000005.00000003.1739587146.0000000000AB8000.00000004.00000001.00020000.00000000.sdmpfalse
                        		high
                        http://geoplugin.net//IXCbn4ZcdS.exe, 00000005.00000003.1739587146.0000000000AD9000.00000004.00000001.00020000.00000000.sdmpfalse
                          		high
                          http://www.microsoft.cIXCbn4ZcdS.exefalse
                            		high
                            http://geoplugin.net/json.gp/CIXCbn4ZcdS.exe, 00000000.00000002.1650019041.0000000002300000.00000004.00001000.00020000.00000000.sdmp, IXCbn4ZcdS.exe, 00000000.00000002.1650078049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, IXCbn4ZcdS.exe, 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmpfalse
                              		high
                              http://geoplugin.net/json.gpLIXCbn4ZcdS.exe, 00000005.00000002.3860857652.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp, IXCbn4ZcdS.exe, 00000005.00000003.2823269336.0000000000AB8000.00000004.00000001.00020000.00000000.sdmp, IXCbn4ZcdS.exe, 00000005.00000003.1739587146.0000000000AB8000.00000004.00000001.00020000.00000000.sdmpfalse
                                		high
                                http://geoplugin.net/json.gpn.net/IXCbn4ZcdS.exe, 00000005.00000003.1739587146.0000000000AB8000.00000004.00000001.00020000.00000000.sdmpfalse
                                  		high

                                  World Map of Contacted IPs

                                  • No. of IPs < 25%
                                  • 25% < No. of IPs < 50%
                                  • 50% < No. of IPs < 75%
                                  • 75% < No. of IPs

                                  Public IPs

                                  IPDomainCountryFlagASNASN NameMalicious
                                  181.131.217.244
                                  		navegacionseguracol24vip.orgColombia
                                  		13489EPMTelecomunicacionesSAESPCOfalse
                                  178.237.33.50
                                  		geoplugin.netNetherlands
                                  		8455ATOM86-ASATOM86NLfalse

                                  General Information

                                  Joe Sandbox version:41.0.0 Charoite
                                  Analysis ID:1573905
                                  Start date and time:2024-12-12 17:50:57 +01:00
                                  Joe Sandbox product:CloudBasic
                                  Overall analysis duration:0h 9m 1s
                                  Hypervisor based Inspection enabled:false
                                  Report type:full
                                  Cookbook file name:default.jbs
                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                  Number of analysed new started processes analysed:9
                                  Number of new started drivers analysed:0
                                  Number of existing processes analysed:0
                                  Number of existing drivers analysed:0
                                  Number of injected processes analysed:0
                                  Technologies:
                                  • HCA enabled
                                  • EGA enabled
                                  • AMSI enabled
                                  Analysis Mode:default
                                  Analysis stop reason:Timeout
                                  Sample name:IXCbn4ZcdS.exe
                                  renamed because original name is a hash value
                                  Original Sample Name:5dcbcb9f5b780bb07e8eb4e98313fc5d0b222823ac94d338b3c3e3fb3efb77e5.exe
                                  Detection:MAL
                                  Classification:mal100.rans.troj.spyw.expl.evad.winEXE@3/3@2/2
                                  EGA Information:
                                  • Successful, ratio: 100%
                                  HCA Information:
                                  • Successful, ratio: 79%
                                  • Number of executed functions: 96
                                  • Number of non-executed functions: 312
                                  Cookbook Comments:
                                  • Found application associated with file extension: .exe
                                  • Override analysis time to 240000 for current running targets taking high CPU consumption

                                  Warnings

                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                  • Excluded IPs from analysis (whitelisted): 4.175.87.197
                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                  • Not all processes where analyzed, report is missing behavior information
                                  • Report size exceeded maximum capacity and may have missing disassembly code.
                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                  • VT rate limit hit for: IXCbn4ZcdS.exe

                                  Simulations

                                  Behavior and APIs

                                  TimeTypeDescription
                                  11:52:49API Interceptor5150178x Sleep call for process: IXCbn4ZcdS.exe modified
                                  16:52:25AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run ElectronArtsCLI C:\Users\user\Videos\ElectronArts\Bin\ElectronArtsCLI.exe
                                  16:52:34AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run ElectronArtsCLI C:\Users\user\Videos\ElectronArts\Bin\ElectronArtsCLI.exe

                                  Joe Sandbox View / Context

                                  IPs

                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                  181.131.217.244d7gXUPUl38.exeGet hashmaliciousRemcosBrowse
                                    fIPSLgT0lO.exeGet hashmaliciousUnknownBrowse
                                      3XSXmrEOw7.exeGet hashmaliciousRemcosBrowse
                                        ozfqy8Ms6t.exeGet hashmaliciousRemcosBrowse
                                          pPLwX9wSrD.exeGet hashmaliciousRemcosBrowse
                                            sXpIsdpkzy.exeGet hashmaliciousRemcosBrowse
                                              hCJ8gK9kNn.exeGet hashmaliciousRemcosBrowse
                                                x4fDy1muYs.exeGet hashmaliciousUnknownBrowse
                                                  VwiELrqQjD.exeGet hashmaliciousRemcosBrowse
                                                    ozfqy8Ms6t.exeGet hashmaliciousUnknownBrowse
                                                      178.237.33.50d7gXUPUl38.exeGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      3XSXmrEOw7.exeGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      ozfqy8Ms6t.exeGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      pPLwX9wSrD.exeGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      sXpIsdpkzy.exeGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      VwiELrqQjD.exeGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      SYSnyI8qDu.exeGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      Reqt 83291.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • geoplugin.net/json.gp
                                                      DOCUMENT#5885588@081366(766.pdf.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • geoplugin.net/json.gp
                                                      1733845413a1d8742853c308d6ac4d050f80c4b91bf14f4919c2728222ecef14ce82d51adb973.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                      • geoplugin.net/json.gp

                                                      Domains

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      navegacionseguracol24vip.orgd7gXUPUl38.exeGet hashmaliciousRemcosBrowse
                                                      • 181.131.217.244
                                                      3XSXmrEOw7.exeGet hashmaliciousRemcosBrowse
                                                      • 181.131.217.244
                                                      ozfqy8Ms6t.exeGet hashmaliciousRemcosBrowse
                                                      • 181.131.217.244
                                                      pPLwX9wSrD.exeGet hashmaliciousRemcosBrowse
                                                      • 181.131.217.244
                                                      hCJ8gK9kNn.exeGet hashmaliciousRemcosBrowse
                                                      • 181.131.217.244
                                                      ozfqy8Ms6t.exeGet hashmaliciousUnknownBrowse
                                                      • 181.131.217.244
                                                      3XSXmrEOw7.exeGet hashmaliciousUnknownBrowse
                                                      • 181.131.217.244
                                                      pPLwX9wSrD.exeGet hashmaliciousUnknownBrowse
                                                      • 181.131.217.244
                                                      hCJ8gK9kNn.exeGet hashmaliciousUnknownBrowse
                                                      • 181.131.217.244
                                                      geoplugin.netd7gXUPUl38.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      3XSXmrEOw7.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      ozfqy8Ms6t.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      pPLwX9wSrD.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      sXpIsdpkzy.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      VwiELrqQjD.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      SYSnyI8qDu.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      Reqt 83291.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • 178.237.33.50
                                                      DOCUMENT#5885588@081366(766.pdf.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 178.237.33.50
                                                      1733845413a1d8742853c308d6ac4d050f80c4b91bf14f4919c2728222ecef14ce82d51adb973.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50

                                                      ASNs

                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                      EPMTelecomunicacionesSAESPCOd7gXUPUl38.exeGet hashmaliciousRemcosBrowse
                                                      • 181.131.217.244
                                                      fIPSLgT0lO.exeGet hashmaliciousUnknownBrowse
                                                      • 181.131.217.244
                                                      3XSXmrEOw7.exeGet hashmaliciousRemcosBrowse
                                                      • 181.131.217.244
                                                      ozfqy8Ms6t.exeGet hashmaliciousRemcosBrowse
                                                      • 181.131.217.244
                                                      pPLwX9wSrD.exeGet hashmaliciousRemcosBrowse
                                                      • 181.131.217.244
                                                      sXpIsdpkzy.exeGet hashmaliciousRemcosBrowse
                                                      • 181.131.217.244
                                                      hCJ8gK9kNn.exeGet hashmaliciousRemcosBrowse
                                                      • 181.131.217.244
                                                      x4fDy1muYs.exeGet hashmaliciousUnknownBrowse
                                                      • 181.131.217.244
                                                      VwiELrqQjD.exeGet hashmaliciousRemcosBrowse
                                                      • 181.131.217.244
                                                      ozfqy8Ms6t.exeGet hashmaliciousUnknownBrowse
                                                      • 181.131.217.244
                                                      ATOM86-ASATOM86NLd7gXUPUl38.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      3XSXmrEOw7.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      ozfqy8Ms6t.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      pPLwX9wSrD.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      sXpIsdpkzy.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      VwiELrqQjD.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      SYSnyI8qDu.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50
                                                      Reqt 83291.vbsGet hashmaliciousRemcos, GuLoaderBrowse
                                                      • 178.237.33.50
                                                      DOCUMENT#5885588@081366(766.pdf.exeGet hashmaliciousGuLoader, RemcosBrowse
                                                      • 178.237.33.50
                                                      1733845413a1d8742853c308d6ac4d050f80c4b91bf14f4919c2728222ecef14ce82d51adb973.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                      • 178.237.33.50

                                                      JA3 Fingerprints

                                                      No context

                                                      Dropped Files

                                                      No context

                                                      Created / dropped Files

                                                      C:\ProgramData\registro\registros.dat

                                                      Download File
                                                      Process:C:\Users\user\Desktop\IXCbn4ZcdS.exe
                                                      File Type:data
                                                      Category:dropped
                                                      Size (bytes):486
                                                      Entropy (8bit):3.2862379567324242
                                                      Encrypted:false
                                                      SSDEEP:12:6laDEhecmlaDubWFeglaYla66bWFe5UlablahbW+:6KvcmKqWDHd+WqUkiW+
                                                      MD5:89CD11872C5ABDF3107235FBD199A583
                                                      SHA1:0A137B83D40EC65040EFEE0C52CA29F0EF8CA448
                                                      SHA-256:B19983A33E2E415108C7A103EEA65B9EFEC20370226F9CE6C10F6E7BDF2428B4
                                                      SHA-512:59076C818889E6C2895A6B18589F9CE4C724A41E2C0A6936B42F81C64F21B0D78FEFEE249477822B6BFF1A3351AE422C5FA13C328A9C00595F02C3C14883BB58
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:....[.2.0.2.4./.1.2./.1.2. .1.1.:.5.2.:.1.6. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.2.0.2.4./.1.2./.1.2. .1.1.:.5.2.:.1.6. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].....[.2.0.2.4./.1.2./.1.2. .1.1.:.5.2.:.2.6. .R.u.n.].........[.2.0.2.4./.1.2./.1.2. .1.1.:.5.2.:.3.1. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....[.W.i.n.].r.....[.2.0.2.4./.1.2./.1.2. .1.1.:.5.2.:.3.4. .R.u.n.].........[.2.0.2.4./.1.2./.1.2. .1.1.:.5.2.:.3.7. .P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                      C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\WDKI0JR2\json[1].json

                                                      Download File
                                                      Process:C:\Users\user\Desktop\IXCbn4ZcdS.exe
                                                      File Type:JSON data
                                                      Category:dropped
                                                      Size (bytes):963
                                                      Entropy (8bit):5.0088110527764815
                                                      Encrypted:false
                                                      SSDEEP:12:tkluWJmnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzz:qlupdRNuKyGX85jvXhNlT3/7CcVKWrZ
                                                      MD5:BD018C0C5F33B3037C1E9B852C5D9744
                                                      SHA1:69225F65C7D5FF12EF0889811B9CB8CE1C1CF0D1
                                                      SHA-256:29AE4457FFF6A1B0F04A9EC87B161876887D8E827EF06A443D61D78C6BA9330A
                                                      SHA-512:BE6CF8CDC952A9DE6E1F0769934CFC5A07D93C2A2B341083D79D89CDEF6578D0DDF50D8079962DB3490D76A2738EB01678506C2C8B810BDBABFED567D1977BA3
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7503",. "geoplugin_longitude":"-74.0014",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":null,. "geoplugin_currencySymbol_UTF8":"",. "geoplugin_currencyConverter":0.}

                                                      C:\Users\user\Videos\ElectronArts\Bin\ElectronArtsCLI.exe

                                                      Download File
                                                      Process:C:\Users\user\Desktop\IXCbn4ZcdS.exe
                                                      File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Category:dropped
                                                      Size (bytes):979567344
                                                      Entropy (8bit):0.03682041999793769
                                                      Encrypted:false
                                                      SSDEEP:
                                                      MD5:17603B8A4D6AAAE374A2D28C0C4CD1CB
                                                      SHA1:09342D8C2EE695BA39BA766F34F73EF429562D0D
                                                      SHA-256:717C0FC750252817AB984B1D6D2E3E31F39BC22ACB82FF7F27F58798AFC024BC
                                                      SHA-512:3394F326969E6B92CD9A8BB703DA77186633D5AEA4FC02F0699634201E5E94F0D0C1582C709263D6AF8147011B0AA7C7AD59F2BE4D3AC998A47BA2B7B5BC6C15
                                                      Malicious:false
                                                      Reputation:low
                                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A..j...9...9...9...9...9...9...9...9...9..9...9...9...9...9...9...9..9...9...9...9<..9...9j..9..9...9...9...9Rich...9................PE..L.....C.................P... !.....}V.......`....@..........................0(.............................................t........0..|............................f..................................H............`...............................text....C.......P.................. ..`.rdata.......`.......`..............@..@.data........@...@...@..............@....rsrc...|....0.... .................@..@........................................................................................................................................................................................................................................................................................................................................

                                                      Static File Info

                                                      General

                                                      File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                      Entropy (8bit):6.352465345748113
                                                      TrID:
                                                      • Win32 Executable (generic) a (10002005/4) 99.96%
                                                      • Generic Win/DOS Executable (2004/3) 0.02%
                                                      • DOS Executable Generic (2002/1) 0.02%
                                                      • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                      File name:IXCbn4ZcdS.exe
                                                      File size:2'457'600 bytes
                                                      MD5:b1a62f3fd3a9a4a06c6bbffbb1cbb463
                                                      SHA1:f3954f2ddbbe05daa9eeb3e9a9e0bb661f925e76
                                                      SHA256:5dcbcb9f5b780bb07e8eb4e98313fc5d0b222823ac94d338b3c3e3fb3efb77e5
                                                      SHA512:a53c1789f2c465809b307a1daabc0b4c10fafe983040ac112f0de0cf5afae3b532630095e62971e0588a7fd17b62caa4ff2f06cb04e6e3799ceca4ce43569528
                                                      SSDEEP:24576:pjmc9/6Am6ls/dcaL9dYx0of9R7iYh0iLnS5vyVJ9dHIliC4:pp/hO/d1xdYx0ir7jTGyVJ9dsR4
                                                      TLSH:9EB5064193E5C013F8F76AB8E8396AF44A2A7E31D83CE11F1A047E6D79329D18935763
                                                      File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A..j...9...9...9...9...9...9...9...9...9...9...9...9...9...9...9...9...9...9...9...9<..9...9j..9...9...9...9...9Rich...9.......

                                                      File Icon

                                                      Icon Hash:83b73111292d65c5

                                                      Static PE Info

                                                      General

                                                      Entrypoint:0x42567d
                                                      Entrypoint Section:.text
                                                      Digitally signed:false
                                                      Imagebase:0x400000
                                                      Subsystem:windows gui
                                                      Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                      DLL Characteristics:
                                                      Time Stamp:0x43A9E2E6 [Wed Dec 21 23:19:02 2005 UTC]
                                                      TLS Callbacks:
                                                      CLR (.Net) Version:
                                                      OS Version Major:4
                                                      OS Version Minor:0
                                                      File Version Major:4
                                                      File Version Minor:0
                                                      Subsystem Version Major:4
                                                      Subsystem Version Minor:0
                                                      Import Hash:1b45e9b30691181342689639e3f2a9ef

                                                      Entrypoint Preview

                                                      Instruction
                                                      push 00000060h
                                                      push 0044C9D0h
                                                      inc eax
                                                      inc ebx
                                                      mov eax, 00000000h
                                                      inc eax
                                                      add eax, ebx
                                                      mov eax, edi
                                                      call 00007F6D38CF5724h
                                                      mov dword ptr [ebp-18h], esp
                                                      mov esi, esp
                                                      mov dword ptr [esi], edi
                                                      push esi
                                                      call dword ptr [004462D4h]
                                                      mov ecx, dword ptr [esi+10h]
                                                      mov dword ptr [00480954h], ecx
                                                      mov eax, dword ptr [esi+04h]
                                                      mov dword ptr [00480960h], eax
                                                      mov edx, dword ptr [esi+08h]
                                                      mov dword ptr [00480964h], edx
                                                      mov esi, dword ptr [esi+0Ch]
                                                      and esi, 00007FFFh
                                                      mov dword ptr [00480958h], esi
                                                      cmp ecx, 02h
                                                      je 00007F6D38D172BEh
                                                      or esi, 00008000h
                                                      mov dword ptr [00480958h], esi
                                                      shl eax, 08h
                                                      add eax, edx
                                                      mov dword ptr [0048095Ch], eax
                                                      xor esi, esi
                                                      push esi
                                                      mov edi, dword ptr [00446338h]
                                                      call 00007F6D38D18ACFh
                                                      dec ebp
                                                      pop edx
                                                      jne 00007F6D38D172D1h
                                                      mov ecx, dword ptr [eax+3Ch]
                                                      add ecx, eax
                                                      cmp dword ptr [ecx], 00004550h
                                                      jne 00007F6D38D172C4h
                                                      movzx eax, word ptr [ecx+18h]
                                                      cmp eax, 0000010Bh
                                                      je 00007F6D38D172D1h
                                                      cmp eax, 0000020Bh
                                                      je 00007F6D38D172B7h
                                                      mov dword ptr [ebp-1Ch], esi
                                                      jmp 00007F6D38D172D9h
                                                      cmp dword ptr [ecx+00000084h], 0Eh
                                                      jbe 00007F6D38D172A4h
                                                      xor eax, eax
                                                      cmp dword ptr [ecx+000000F8h], esi
                                                      jmp 00007F6D38D172C0h
                                                      cmp dword ptr [ecx+74h], 0Eh
                                                      jbe 00007F6D38D17294h
                                                      xor eax, eax
                                                      cmp dword ptr [ecx+000000E8h], esi
                                                      setne al
                                                      mov dword ptr [ebp-1Ch], eax

                                                      Rich Headers

                                                      Programming Language:
                                                      • [ASM] VS2003 (.NET) build 3077
                                                      • [ C ] VS2003 (.NET) build 3077
                                                      • [C++] VS2003 (.NET) build 3077
                                                      • [RES] VS2003 (.NET) build 3077
                                                      • [LNK] VS2003 (.NET) build 3077

                                                      Data Directories

                                                      NameVirtual AddressVirtual Size Is in Section
                                                      IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IMPORT0x51b740x104.rdata
                                                      IMAGE_DIRECTORY_ENTRY_RESOURCE0x830000x1ffa7c.rsrc
                                                      IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_DEBUG0x466000x1c.rdata
                                                      IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x4ec800x48.rdata
                                                      IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_IAT0x460000x5f4.rdata
                                                      IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                      IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                      Sections

                                                      NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                      .text0x10000x443a40x450002692a1debfa0d53fd0e41574cd59f082False0.5499249886775363data6.578648209925144IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                      .rdata0x460000xdc080xe000f035081ac4c7ee86cd6ead176dd1c9bbFalse0.3834228515625data5.2366811213048665IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                      .data0x540000x2e2940x40008313c86e1a2ce269f3aa390bb3074e9bFalse0.2427978515625data2.963596560441913IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                      .rsrc0x830000x1ffa7c0x20000003e05ef92389f374ffe1153de5ad83f1unknownunknownunknownunknownIMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                                                      Resources

                                                      NameRVASizeTypeLanguageCountryZLIB Complexity
                                                      RT_CURSOR0x863580x25acdata0.23828287017834923
                                                      RT_CURSOR0x889040x134Targa image data - RGB 64 x 65536 x 1 +32 "\001"EnglishUnited States0.4805194805194805
                                                      RT_CURSOR0x88a380xb4Targa image data - Map 32 x 65536 x 1 +16 "\001"EnglishUnited States0.7
                                                      RT_CURSOR0x88aec0x134AmigaOS bitmap font "(", fc_YSize 4294967264, 5120 elements, 2nd "\377\360?\377\377\370\177\377\377\374\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rdEnglishUnited States0.36363636363636365
                                                      RT_CURSOR0x88c200x134Targa image data - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.35714285714285715
                                                      RT_CURSOR0x88d540x134dataEnglishUnited States0.37337662337662336
                                                      RT_CURSOR0x88e880x134dataEnglishUnited States0.37662337662337664
                                                      RT_CURSOR0x88fbc0x134Targa image data 64 x 65536 x 1 +32 "\001"EnglishUnited States0.36688311688311687
                                                      RT_CURSOR0x890f00x134Targa image data 64 x 65536 x 1 +32 "\001"EnglishUnited States0.37662337662337664
                                                      RT_CURSOR0x892240x134Targa image data - Mono - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.36688311688311687
                                                      RT_CURSOR0x893580x134Targa image data - RGB - RLE 64 x 65536 x 1 +32 "\001"EnglishUnited States0.38636363636363635
                                                      RT_CURSOR0x8948c0x134dataEnglishUnited States0.44155844155844154
                                                      RT_CURSOR0x895c00x134dataEnglishUnited States0.4155844155844156
                                                      RT_CURSOR0x896f40x134AmigaOS bitmap font "(", fc_YSize 4294966847, 3840 elements, 2nd "\377?\374\377\377\300\003\377\377\300\003\377\377\340\007\377\377\360\017\377\377\370\037\377\377\374?\377\377\376\177\377\377\377\377\377\377\377\377\377\377\377\377\377", 3rdEnglishUnited States0.5422077922077922
                                                      RT_CURSOR0x898280x134dataEnglishUnited States0.2662337662337662
                                                      RT_CURSOR0x8995c0x134dataEnglishUnited States0.2824675324675325
                                                      RT_CURSOR0x89a900x134dataEnglishUnited States0.3246753246753247
                                                      RT_BITMAP0x89bc40x14be8Device independent bitmap graphic, 302 x 276 x 8, image size 83904, 256 important colors0.2927337350531965
                                                      RT_BITMAP0x9e7ac0xb8Device independent bitmap graphic, 12 x 10 x 4, image size 80EnglishUnited States0.44565217391304346
                                                      RT_BITMAP0x9e8640x144Device independent bitmap graphic, 33 x 11 x 4, image size 220EnglishUnited States0.37962962962962965
                                                      RT_ICON0x9e9a80x13c3bPNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.9546538200234699
                                                      RT_ICON0xb25e40xc312PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced0.8132884777123633
                                                      RT_ICON0xbe8f80x128Device independent bitmap graphic, 16 x 32 x 4, image size 128, 16 important colorsEnglishUnited States0.42567567567567566
                                                      RT_ICON0xbea200x2e8Device independent bitmap graphic, 32 x 64 x 4, image size 512, 16 important colorsEnglishUnited States0.260752688172043
                                                      RT_MENU0xbed080xe6dataEnglishUnited States0.6304347826086957
                                                      RT_DIALOG0xbedf00x134dataEnglishUnited States0.5844155844155844
                                                      RT_DIALOG0xbef240xe8dataEnglishUnited States0.6336206896551724
                                                      RT_STRING0xbf00c0x378dataChineseTaiwan0.49436936936936937
                                                      RT_STRING0xbf3840x896dataCzechCzech Republic0.29754322111010006
                                                      RT_STRING0xbfc1c0x914dataDanishDenmark0.2706540447504303
                                                      RT_STRING0xc05300x9ecdataGermanGermany0.27244094488188975
                                                      RT_STRING0xc0f1c0xa74dataGreekGreece0.2705530642750374
                                                      RT_STRING0xc19900x922dataFinnishFinland0.2523524379811805
                                                      RT_STRING0xc22b40x95edataFrenchFrance0.25312760633861553
                                                      RT_STRING0xc2c140x68adataHebrewIsrael0.3279569892473118
                                                      RT_STRING0xc32a00x8e0dataHungarianHungary0.2953345070422535
                                                      RT_STRING0xc3b800x8e4dataItalianItaly0.2627416520210896
                                                      RT_STRING0xc44640x550dataJapaneseJapan0.35294117647058826
                                                      RT_STRING0xc49b40x55cdataKoreanNorth Korea0.39941690962099125
                                                      RT_STRING0xc49b40x55cdataKoreanSouth Korea0.39941690962099125
                                                      RT_STRING0xc4f100x8e6dataDutchNetherlands0.26733977172958734
                                                      RT_STRING0xc57f80x82adataNorwegianNorway0.26842105263157895
                                                      RT_STRING0xc60240x7eedataPolishPoland0.28374384236453204
                                                      RT_STRING0xc68140xa12dataPortugueseBrazil0.24204809930178434
                                                      RT_STRING0xc72280x7badataRussianRussia0.327098078867543
                                                      RT_STRING0xc79e40x8fcdataSwedishSweden0.25478260869565217
                                                      RT_STRING0xc82e00x7e8dataThaiThailand0.3102766798418972
                                                      RT_STRING0xc8ac80x3f6dataChineseChina0.48520710059171596
                                                      RT_STRING0xc8ec00x954dataPortuguesePortugal0.26256281407035176
                                                      RT_STRING0xc98140x8f2data0.251528384279476
                                                      RT_STRING0xca1080x8fadataEnglishCanada0.24412532637075718
                                                      RT_STRING0xcaa040x21cdataChineseTaiwan0.6444444444444445
                                                      RT_STRING0xcac200x3eadataCzechCzech Republic0.4431137724550898
                                                      RT_STRING0xcb00c0x41edataDanishDenmark0.3984819734345351
                                                      RT_STRING0xcb42c0x512AmigaOS bitmap font "o", fc_YSize 25344, 17920 elements, 2nd " ", 3rd "e"GermanGermany0.362095531587057
                                                      RT_STRING0xcb9400x482dataGreekGreece0.44280762564991333
                                                      RT_STRING0xcbdc40x504dataFinnishFinland0.3598130841121495
                                                      RT_STRING0xcc2c80x4b6dataFrenchFrance0.3548922056384743
                                                      RT_STRING0xcc7800x384dataHebrewIsrael0.4588888888888889
                                                      RT_STRING0xccb040x466dataHungarianHungary0.42362344582593253
                                                      RT_STRING0xccf6c0x43cdataItalianItaly0.3966789667896679
                                                      RT_STRING0xcd3a80x22edataJapaneseJapan0.6164874551971327
                                                      RT_STRING0xcd5d80x240dataKoreanNorth Korea0.6388888888888888
                                                      RT_STRING0xcd5d80x240dataKoreanSouth Korea0.6388888888888888
                                                      RT_STRING0xcd8180x4e2dataDutchNetherlands0.3424
                                                      RT_STRING0xcdcfc0x3e0AmigaOS bitmap font "v", fc_YSize 28416, 16640 elements, 2nd "i", 3rd "e"NorwegianNorway0.4112903225806452
                                                      RT_STRING0xce0dc0x4acdataPolishPoland0.4080267558528428
                                                      RT_STRING0xce5880x4b0dataPortugueseBrazil0.3858333333333333
                                                      RT_STRING0xcea380x5c8dataRussianRussia0.36824324324324326
                                                      RT_STRING0xcf0000x41edataSwedishSweden0.3776091081593928
                                                      RT_STRING0xcf4200x362dataThaiThailand0.46882217090069284
                                                      RT_STRING0xcf7840x1eadataChineseChina0.7306122448979592
                                                      RT_STRING0xcf9700x4a6dataPortuguesePortugal0.3815126050420168
                                                      RT_STRING0xcfe180x4ecAmigaOS bitmap font "s", fc_YSize 24832, 21760 elements, 2nd "c", 3rd "q"0.3753968253968254
                                                      RT_STRING0xd03040x3b0dataEnglishCanada0.4014830508474576
                                                      RT_STRING0xd06b40x2c8dataChineseTaiwan0.7780898876404494
                                                      RT_STRING0xd097c0x6c2dataCzechCzech Republic0.4028901734104046
                                                      RT_STRING0xd10400x7ecdataDanishDenmark0.35552268244575935
                                                      RT_STRING0xd182c0x8c8dataGermanGermany0.33629893238434166
                                                      RT_STRING0xd20f40x926AmigaOS bitmap font "\301\003\255\003\307\003\277\003\275\003 ", fc_YSize 4294948611, 41987 elementsGreekGreece0.3736122971818958
                                                      RT_STRING0xd2a1c0x6a8dataFinnishFinland0.3826291079812207
                                                      RT_STRING0xd30c40x818dataFrenchFrance0.3359073359073359
                                                      RT_STRING0xd38dc0x6e0dataHebrewIsrael0.38238636363636364
                                                      RT_STRING0xd3fbc0x750AmigaOS bitmap font "k", fc_YSize 11520, 16640 elements, 2nd " ", 3rd "l"HungarianHungary0.38514957264957267
                                                      RT_STRING0xd470c0x7b6dataItalianItaly0.34903748733535966
                                                      RT_STRING0xd4ec40x3e4dataJapaneseJapan0.5783132530120482
                                                      RT_STRING0xd52a80x44cdataKoreanNorth Korea0.5636363636363636
                                                      RT_STRING0xd52a80x44cdataKoreanSouth Korea0.5636363636363636
                                                      RT_STRING0xd56f40x820dataDutchNetherlands0.33557692307692305
                                                      RT_STRING0xd5f140x742AmigaOS bitmap font "j", fc_YSize 30208, 18176 elements, 2nd "r", 3rd "e"NorwegianNorway0.34607104413347684
                                                      RT_STRING0xd66580x728dataPolishPoland0.384825327510917
                                                      RT_STRING0xd6d800x84cdataPortugueseBrazil0.3422787193973635
                                                      RT_STRING0xd75cc0x6f2dataRussianRussia0.3914510686164229
                                                      RT_STRING0xd7cc00x7b6AmigaOS bitmap font "u", fc_YSize 8192, 19968 elements, 2nd "v", 3rd "e"SwedishSweden0.3601823708206687
                                                      RT_STRING0xd84780x658dataThaiThailand0.42549261083743845
                                                      RT_STRING0xd8ad00x2e0dataChineseChina0.751358695652174
                                                      RT_STRING0xd8db00x770dataPortuguesePortugal0.34558823529411764
                                                      RT_STRING0xd95200x7b0AmigaOS bitmap font "r", fc_YSize 25856, 16640 elements, 2nd "D", 3rd "e"0.3475609756097561
                                                      RT_STRING0xd9cd00x7b6dataEnglishCanada0.3454913880445795
                                                      RT_STRING0xda4880x2d6dataChineseTaiwan0.7851239669421488
                                                      RT_STRING0xda7600x64adataCzechCzech Republic0.45217391304347826
                                                      RT_STRING0xdadac0x66cdataDanishDenmark0.40450121654501214
                                                      RT_STRING0xdb4180x6e0Dyalog APL aplcore version 66.0GermanGermany0.4017045454545455
                                                      RT_STRING0xdbaf80x718OpenPGP Secret KeyGreekGreece0.43061674008810574
                                                      RT_STRING0xdc2100x63edataFinnishFinland0.4123904881101377
                                                      RT_STRING0xdc8500x65edataFrenchFrance0.4147239263803681
                                                      RT_STRING0xdceb00x5c4dataHebrewIsrael0.45799457994579945
                                                      RT_STRING0xdd4740x5b0dataHungarianHungary0.45879120879120877
                                                      RT_STRING0xdda240x67cdataItalianItaly0.41566265060240964
                                                      RT_STRING0xde0a00x36adataJapaneseJapan0.6601830663615561
                                                      RT_STRING0xde40c0x380dataKoreanNorth Korea0.6662946428571429
                                                      RT_STRING0xde40c0x380dataKoreanSouth Korea0.6662946428571429
                                                      RT_STRING0xde78c0x6c0dataDutchNetherlands0.3894675925925926
                                                      RT_STRING0xdee4c0x63adataNorwegianNorway0.397741530740276
                                                      RT_STRING0xdf4880x5d0dataPolishPoland0.4536290322580645
                                                      RT_STRING0xdfa580x66adataPortugueseBrazil0.4287454323995128
                                                      RT_STRING0xe00c40x550dataRussianRussia0.4625
                                                      RT_STRING0xe06140x60edataSwedishSweden0.4096774193548387
                                                      RT_STRING0xe0c240x500dataThaiThailand0.5046875
                                                      RT_STRING0xe11240x2c8dataChineseChina0.827247191011236
                                                      RT_STRING0xe13ec0x608OpenPGP Secret KeyPortuguesePortugal0.4216321243523316
                                                      RT_STRING0xe19f40x664OpenPGP Secret Key0.41503667481662593
                                                      RT_STRING0xe20580x5daDOS executable (COM, 0x8C-variant)EnglishCanada0.4205607476635514
                                                      RT_STRING0xe26340x340AmigaOS bitmap font "~v.zMQ\273\214\013N\011\217\204v", fc_YSize 8192, 2638 elements, 2nd "-\212\356v\004\223\014", 3rd "d"ChineseTaiwan0.6358173076923077
                                                      RT_STRING0xe29740x6f8dataCzechCzech Republic0.36154708520179374
                                                      RT_STRING0xe306c0x74cdataDanishDenmark0.3329764453961456
                                                      RT_STRING0xe37b80x802dataGermanGermany0.3326829268292683
                                                      RT_STRING0xe3fbc0x908dataGreekGreece0.3672145328719723
                                                      RT_STRING0xe48c40x77edataFinnishFinland0.35662148070907196
                                                      RT_STRING0xe50440x842dataFrenchFrance0.33349101229895933
                                                      RT_STRING0xe58880x626dataHebrewIsrael0.40088945362134687
                                                      RT_STRING0xe5eb00x72adataHungarianHungary0.36150490730643403
                                                      RT_STRING0xe65dc0x7b8dataItalianItaly0.3350202429149798
                                                      RT_STRING0xe6d940x456dataJapaneseJapan0.4846846846846847
                                                      RT_STRING0xe71ec0x45adataKoreanNorth Korea0.5197486535008977
                                                      RT_STRING0xe71ec0x45adataKoreanSouth Korea0.5197486535008977
                                                      RT_STRING0xe76480x7cedataDutchNetherlands0.3308308308308308
                                                      RT_STRING0xe7e180x7a6dataNorwegianNorway0.3202247191011236
                                                      RT_STRING0xe85c00x698dataPolishPoland0.36729857819905215
                                                      RT_STRING0xe8c580x85cdataPortugueseBrazil0.31822429906542055
                                                      RT_STRING0xe94b40x6b0dataRussianRussia0.3679906542056075
                                                      RT_STRING0xe9b640x6dedataSwedishSweden0.34186575654152446
                                                      RT_STRING0xea2440x636dataThaiThailand0.3855345911949686
                                                      RT_STRING0xea87c0x346dataChineseChina0.636038186157518
                                                      RT_STRING0xeabc40x7dedataPortuguesePortugal0.32621648460774577
                                                      RT_STRING0xeb3a40x73cdata0.3250539956803456
                                                      RT_STRING0xebae00x74cdataEnglishCanada0.3217344753747323
                                                      RT_STRING0xec22c0x46edataChineseTaiwan0.599647266313933
                                                      RT_STRING0xec69c0x7b8dataCzechCzech Republic0.4185222672064777
                                                      RT_STRING0xece540x82adataDanishDenmark0.3736842105263158
                                                      RT_STRING0xed6800x868dataGermanGermany0.3712825278810409
                                                      RT_STRING0xedee80x966dataGreekGreece0.39276807980049877
                                                      RT_STRING0xee8500x954dataFinnishFinland0.36139028475711893
                                                      RT_STRING0xef1a40x94cPDP-11 demand-paged pure executable not strippedFrenchFrance0.36512605042016805
                                                      RT_STRING0xefaf00x728dataHebrewIsrael0.4170305676855895
                                                      RT_STRING0xf02180x7f8dataHungarianHungary0.3877450980392157
                                                      RT_STRING0xf0a100x86adataItalianItaly0.37418755803156917
                                                      RT_STRING0xf127c0x53edataJapaneseJapan0.5104321907600596
                                                      RT_STRING0xf17bc0x5aedataKoreanNorth Korea0.5281980742778541
                                                      RT_STRING0xf17bc0x5aedataKoreanSouth Korea0.5281980742778541
                                                      RT_STRING0xf1d6c0x878dataDutchNetherlands0.3519372693726937
                                                      RT_STRING0xf25e40x7a4dataNorwegianNorway0.37678936605316976
                                                      RT_STRING0xf2d880x85adataPolishPoland0.3985032740879326
                                                      RT_STRING0xf35e40x8eedataPortugueseBrazil0.36832895888014
                                                      RT_STRING0xf3ed40x83adataRussianRussia0.4107312440645774
                                                      RT_STRING0xf47100x7fadataSwedishSweden0.38050930460333005
                                                      RT_STRING0xf4f0c0x738dataThaiThailand0.42045454545454547
                                                      RT_STRING0xf56440x482dataChineseChina0.6091854419410745
                                                      RT_STRING0xf5ac80x81adataPortuguesePortugal0.3799421407907425
                                                      RT_STRING0xf62e40x858data0.38436329588014984
                                                      RT_STRING0xf6b3c0x7badataEnglishCanada0.3822042467138524
                                                      RT_STRING0xf72f80x38dataChineseTaiwan0.6428571428571429
                                                      RT_STRING0xf73300x56dataCzechCzech Republic0.6511627906976745
                                                      RT_STRING0xf73880x5edataDanishDenmark0.6382978723404256
                                                      RT_STRING0xf73e80x56dataGermanGermany0.686046511627907
                                                      RT_STRING0xf74400x5adataGreekGreece0.7222222222222222
                                                      RT_STRING0xf749c0x5edataFinnishFinland0.6382978723404256
                                                      RT_STRING0xf74fc0x5adataFrenchFrance0.6444444444444445
                                                      RT_STRING0xf75580x46dataHebrewIsrael0.7
                                                      RT_STRING0xf75a00x52dataHungarianHungary0.6341463414634146
                                                      RT_STRING0xf75f40x62dataItalianItaly0.6122448979591837
                                                      RT_STRING0xf76580x44dataJapaneseJapan0.6911764705882353
                                                      RT_STRING0xf769c0x3cdataKoreanNorth Korea0.65
                                                      RT_STRING0xf769c0x3cdataKoreanSouth Korea0.65
                                                      RT_STRING0xf76d80x56dataDutchNetherlands0.6744186046511628
                                                      RT_STRING0xf77300x68dataNorwegianNorway0.6826923076923077
                                                      RT_STRING0xf77980x96dataPolishPoland0.6466666666666666
                                                      RT_STRING0xf78300x5cdataPortugueseBrazil0.6630434782608695
                                                      RT_STRING0xf788c0x3cdataRussianRussia0.6333333333333333
                                                      RT_STRING0xf78c80x5adataSwedishSweden0.6555555555555556
                                                      RT_STRING0xf79240x48dataThaiThailand0.6527777777777778
                                                      RT_STRING0xf796c0x3adataChineseChina0.6551724137931034
                                                      RT_STRING0xf79a80x52dataPortuguesePortugal0.6707317073170732
                                                      RT_STRING0xf79fc0x5cdata0.6630434782608695
                                                      RT_STRING0xf7a580x4adataEnglishCanada0.6621621621621622
                                                      RT_STRING0xf7aa40x298dataChineseTaiwan0.713855421686747
                                                      RT_STRING0xf7d3c0x718dataCzechCzech Republic0.3601321585903084
                                                      RT_STRING0xf84540x7a8dataDanishDenmark0.3153061224489796
                                                      RT_STRING0xf8bfc0x884dataGermanGermany0.31238532110091743
                                                      RT_STRING0xf94800x820dataGreekGreece0.33028846153846153
                                                      RT_STRING0xf9ca00x7e0dataFinnishFinland0.3060515873015873
                                                      RT_STRING0xfa4800x86adataFrenchFrance0.3138347260909935
                                                      RT_STRING0xfacec0x5e0dataHebrewIsrael0.3696808510638298
                                                      RT_STRING0xfb2cc0x718dataHungarianHungary0.3419603524229075
                                                      RT_STRING0xfb9e40x810dataItalianItaly0.29651162790697677
                                                      RT_STRING0xfc1f40x442dataJapaneseJapan0.5376146788990825
                                                      RT_STRING0xfc6380x456dataKoreanNorth Korea0.554954954954955
                                                      RT_STRING0xfc6380x456dataKoreanSouth Korea0.554954954954955
                                                      RT_STRING0xfca900x798dataDutchNetherlands0.3045267489711934
                                                      RT_STRING0xfd2280x6e8dataNorwegianNorway0.3173076923076923
                                                      RT_STRING0xfd9100x7b0dataPolishPoland0.3429878048780488
                                                      RT_STRING0xfe0c00x7eadataPortugueseBrazil0.31539980256663375
                                                      RT_STRING0xfe8ac0x710dataRussianRussia0.3495575221238938
                                                      RT_STRING0xfefbc0x734dataSwedishSweden0.3297180043383948
                                                      RT_STRING0xff6f00x5e8dataThaiThailand0.37037037037037035
                                                      RT_STRING0xffcd80x27cdataChineseChina0.6965408805031447
                                                      RT_STRING0xfff540x836dataPortuguesePortugal0.30209324452902
                                                      RT_STRING0x10078c0x8a0data0.3016304347826087
                                                      RT_STRING0x10102c0x77edataEnglishCanada0.30552659019812306
                                                      RT_STRING0x1017ac0xaedataChineseTaiwan0.8908045977011494
                                                      RT_STRING0x10185c0x1feOpenPGP Public KeyCzechCzech Republic0.515686274509804
                                                      RT_STRING0x101a5c0x222PGP Secret Sub-key -DanishDenmark0.43956043956043955
                                                      RT_STRING0x101c800x278dataGermanGermany0.4272151898734177
                                                      RT_STRING0x101ef80x244dataGreekGreece0.4793103448275862
                                                      RT_STRING0x10213c0x1dedataFinnishFinland0.4707112970711297
                                                      RT_STRING0x10231c0x230dataFrenchFrance0.4714285714285714
                                                      RT_STRING0x10254c0x170dataHebrewIsrael0.5081521739130435
                                                      RT_STRING0x1026bc0x248dataHungarianHungary0.4948630136986301
                                                      RT_STRING0x1029040x24cdataItalianItaly0.42857142857142855
                                                      RT_STRING0x102b500x108dataJapaneseJapan0.8068181818181818
                                                      RT_STRING0x102c580x122dataKoreanNorth Korea0.7344827586206897
                                                      RT_STRING0x102c580x122dataKoreanSouth Korea0.7344827586206897
                                                      RT_STRING0x102d7c0x270dataDutchNetherlands0.42788461538461536
                                                      RT_STRING0x102fec0x1ecdataNorwegianNorway0.45934959349593496
                                                      RT_STRING0x1031d80x208OpenPGP Public KeyPolishPoland0.5115384615384615
                                                      RT_STRING0x1033e00x242dataPortugueseBrazil0.4429065743944637
                                                      RT_STRING0x1036240x1e6dataRussianRussia0.4876543209876543
                                                      RT_STRING0x10380c0x21eOpenPGP Secret KeySwedishSweden0.44280442804428044
                                                      RT_STRING0x103a2c0x1b4dataThaiThailand0.5779816513761468
                                                      RT_STRING0x103be00xa8dataChineseChina0.8690476190476191
                                                      RT_STRING0x103c880x254dataPortuguesePortugal0.4513422818791946
                                                      RT_STRING0x103edc0x216OpenPGP Secret Key0.46254681647940077
                                                      RT_STRING0x1040f40x21cdataEnglishCanada0.45
                                                      RT_STRING0x1043100x3adataChineseTaiwan0.6379310344827587
                                                      RT_STRING0x10434c0x3adataCzechCzech Republic0.6379310344827587
                                                      RT_STRING0x1043880x3adataDanishDenmark0.6379310344827587
                                                      RT_STRING0x1043c40x3adataGermanGermany0.6379310344827587
                                                      RT_STRING0x1044000x3adataGreekGreece0.6379310344827587
                                                      RT_STRING0x10443c0x3adataFinnishFinland0.6379310344827587
                                                      RT_STRING0x1044780x3adataFrenchFrance0.6379310344827587
                                                      RT_STRING0x1044b40x3adataHebrewIsrael0.6379310344827587
                                                      RT_STRING0x1044f00x3adataHungarianHungary0.6379310344827587
                                                      RT_STRING0x10452c0x3adataItalianItaly0.6379310344827587
                                                      RT_STRING0x1045680x3adataJapaneseJapan0.6379310344827587
                                                      RT_STRING0x1045a40x3adataKoreanNorth Korea0.6379310344827587
                                                      RT_STRING0x1045a40x3adataKoreanSouth Korea0.6379310344827587
                                                      RT_STRING0x1045e00x3adataDutchNetherlands0.6379310344827587
                                                      RT_STRING0x10461c0x3adataNorwegianNorway0.6379310344827587
                                                      RT_STRING0x1046580x3adataPolishPoland0.6379310344827587
                                                      RT_STRING0x1046940x3adataPortugueseBrazil0.6379310344827587
                                                      RT_STRING0x1046d00x3adataRussianRussia0.6379310344827587
                                                      RT_STRING0x10470c0x3adataSwedishSweden0.6379310344827587
                                                      RT_STRING0x1047480x3adataThaiThailand0.6379310344827587
                                                      RT_STRING0x1047840x3adataChineseChina0.6379310344827587
                                                      RT_STRING0x1047c00x3adataPortuguesePortugal0.6379310344827587
                                                      RT_STRING0x1047fc0x3adata0.6379310344827587
                                                      RT_STRING0x1048380x3adataEnglishCanada0.6379310344827587
                                                      RT_STRING0x1048740x328dataChineseTaiwan0.34405940594059403
                                                      RT_STRING0x104b9c0x328dataCzechCzech Republic0.34405940594059403
                                                      RT_STRING0x104ec40x328dataDanishDenmark0.34405940594059403
                                                      RT_STRING0x1051ec0x328dataGermanGermany0.34405940594059403
                                                      RT_STRING0x1055140x328dataGreekGreece0.34405940594059403
                                                      RT_STRING0x10583c0x328dataFinnishFinland0.34405940594059403
                                                      RT_STRING0x105b640x328dataFrenchFrance0.34405940594059403
                                                      RT_STRING0x105e8c0x328dataHebrewIsrael0.34405940594059403
                                                      RT_STRING0x1061b40x328dataHungarianHungary0.34405940594059403
                                                      RT_STRING0x1064dc0x328dataItalianItaly0.34405940594059403
                                                      RT_STRING0x1068040x328dataJapaneseJapan0.34405940594059403
                                                      RT_STRING0x106b2c0x328dataKoreanNorth Korea0.34405940594059403
                                                      RT_STRING0x106b2c0x328dataKoreanSouth Korea0.34405940594059403
                                                      RT_STRING0x106e540x328dataDutchNetherlands0.34405940594059403
                                                      RT_STRING0x10717c0x328dataNorwegianNorway0.34405940594059403
                                                      RT_STRING0x1074a40x328dataPolishPoland0.34405940594059403
                                                      RT_STRING0x1077cc0x328dataPortugueseBrazil0.34405940594059403
                                                      RT_STRING0x107af40x328dataRussianRussia0.34405940594059403
                                                      RT_STRING0x107e1c0x328dataSwedishSweden0.34405940594059403
                                                      RT_STRING0x1081440x328dataThaiThailand0.34405940594059403
                                                      RT_STRING0x10846c0x328dataChineseChina0.34405940594059403
                                                      RT_STRING0x1087940x328dataPortuguesePortugal0.34405940594059403
                                                      RT_STRING0x108abc0x328data0.34405940594059403
                                                      RT_STRING0x108de40x328dataEnglishCanada0.34405940594059403
                                                      RT_STRING0x10910c0x70dataChineseTaiwan0.625
                                                      RT_STRING0x10917c0x70dataCzechCzech Republic0.625
                                                      RT_STRING0x1091ec0x70dataDanishDenmark0.625
                                                      RT_STRING0x10925c0x70dataGermanGermany0.625
                                                      RT_STRING0x1092cc0x70dataGreekGreece0.625
                                                      RT_STRING0x10933c0x70dataFinnishFinland0.625
                                                      RT_STRING0x1093ac0x70dataFrenchFrance0.625
                                                      RT_STRING0x10941c0x70dataHebrewIsrael0.625
                                                      RT_STRING0x10948c0x70dataHungarianHungary0.625
                                                      RT_STRING0x1094fc0x70dataItalianItaly0.625
                                                      RT_STRING0x10956c0x70dataJapaneseJapan0.625
                                                      RT_STRING0x1095dc0x70dataKoreanNorth Korea0.625
                                                      RT_STRING0x1095dc0x70dataKoreanSouth Korea0.625
                                                      RT_STRING0x10964c0x70dataDutchNetherlands0.625
                                                      RT_STRING0x1096bc0x70dataNorwegianNorway0.625
                                                      RT_STRING0x10972c0x70dataPolishPoland0.625
                                                      RT_STRING0x10979c0x70dataPortugueseBrazil0.625
                                                      RT_STRING0x10980c0x70dataRussianRussia0.625
                                                      RT_STRING0x10987c0x70dataSwedishSweden0.625
                                                      RT_STRING0x1098ec0x70dataThaiThailand0.625
                                                      RT_STRING0x10995c0x70dataChineseChina0.625
                                                      RT_STRING0x1099cc0x70dataPortuguesePortugal0.625
                                                      RT_STRING0x109a3c0x70data0.625
                                                      RT_STRING0x109aac0x70dataEnglishCanada0.625
                                                      RT_STRING0x109b1c0x106dataChineseTaiwan0.5763358778625954
                                                      RT_STRING0x109c240x106dataCzechCzech Republic0.5763358778625954
                                                      RT_STRING0x109d2c0x106dataDanishDenmark0.5763358778625954
                                                      RT_STRING0x109e340x106dataGermanGermany0.5763358778625954
                                                      RT_STRING0x109f3c0x106dataGreekGreece0.5763358778625954
                                                      RT_STRING0x10a0440x106dataFinnishFinland0.5763358778625954
                                                      RT_STRING0x10a14c0x106dataFrenchFrance0.5763358778625954
                                                      RT_STRING0x10a2540x106dataHebrewIsrael0.5763358778625954
                                                      RT_STRING0x10a35c0x106dataHungarianHungary0.5763358778625954
                                                      RT_STRING0x10a4640x106dataItalianItaly0.5763358778625954
                                                      RT_STRING0x10a56c0x106dataJapaneseJapan0.5763358778625954
                                                      RT_STRING0x10a6740x106dataKoreanNorth Korea0.5763358778625954
                                                      RT_STRING0x10a6740x106dataKoreanSouth Korea0.5763358778625954
                                                      RT_STRING0x10a77c0x106dataDutchNetherlands0.5763358778625954
                                                      RT_STRING0x10a8840x106dataNorwegianNorway0.5763358778625954
                                                      RT_STRING0x10a98c0x106dataPolishPoland0.5763358778625954
                                                      RT_STRING0x10aa940x106dataPortugueseBrazil0.5763358778625954
                                                      RT_STRING0x10ab9c0x106dataRussianRussia0.5763358778625954
                                                      RT_STRING0x10aca40x106dataSwedishSweden0.5763358778625954
                                                      RT_STRING0x10adac0x106dataThaiThailand0.5763358778625954
                                                      RT_STRING0x10aeb40x106dataChineseChina0.5763358778625954
                                                      RT_STRING0x10afbc0x106dataPortuguesePortugal0.5763358778625954
                                                      RT_STRING0x10b0c40x106data0.5763358778625954
                                                      RT_STRING0x10b1cc0x106dataEnglishCanada0.5763358778625954
                                                      RT_STRING0x10b2d40xdadataChineseTaiwan0.43119266055045874
                                                      RT_STRING0x10b3b00xdadataCzechCzech Republic0.43119266055045874
                                                      RT_STRING0x10b48c0xdadataDanishDenmark0.43119266055045874
                                                      RT_STRING0x10b5680xdadataGermanGermany0.43119266055045874
                                                      RT_STRING0x10b6440xdadataGreekGreece0.43119266055045874
                                                      RT_STRING0x10b7200xdadataFinnishFinland0.43119266055045874
                                                      RT_STRING0x10b7fc0xdadataFrenchFrance0.43119266055045874
                                                      RT_STRING0x10b8d80xdadataHebrewIsrael0.43119266055045874
                                                      RT_STRING0x10b9b40xdadataHungarianHungary0.43119266055045874
                                                      RT_STRING0x10ba900xdadataItalianItaly0.43119266055045874
                                                      RT_STRING0x10bb6c0xdadataJapaneseJapan0.43119266055045874
                                                      RT_STRING0x10bc480xdadataKoreanNorth Korea0.43119266055045874
                                                      RT_STRING0x10bc480xdadataKoreanSouth Korea0.43119266055045874
                                                      RT_STRING0x10bd240xdadataDutchNetherlands0.43119266055045874
                                                      RT_STRING0x10be000xdadataNorwegianNorway0.43119266055045874
                                                      RT_STRING0x10bedc0xdadataPolishPoland0.43119266055045874
                                                      RT_STRING0x10bfb80xdadataPortugueseBrazil0.43119266055045874
                                                      RT_STRING0x10c0940xdadataRussianRussia0.43119266055045874
                                                      RT_STRING0x10c1700xdadataSwedishSweden0.43119266055045874
                                                      RT_STRING0x10c24c0xdadataThaiThailand0.43119266055045874
                                                      RT_STRING0x10c3280xdadataChineseChina0.43119266055045874
                                                      RT_STRING0x10c4040xdadataPortuguesePortugal0.43119266055045874
                                                      RT_STRING0x10c4e00xdadata0.43119266055045874
                                                      RT_STRING0x10c5bc0xdadataEnglishCanada0.43119266055045874
                                                      RT_STRING0x10c6980x46dataChineseTaiwan0.7428571428571429
                                                      RT_STRING0x10c6e00x46dataCzechCzech Republic0.7428571428571429
                                                      RT_STRING0x10c7280x46dataDanishDenmark0.7428571428571429
                                                      RT_STRING0x10c7700x46dataGermanGermany0.7428571428571429
                                                      RT_STRING0x10c7b80x46dataGreekGreece0.7428571428571429
                                                      RT_STRING0x10c8000x46dataFinnishFinland0.7428571428571429
                                                      RT_STRING0x10c8480x46dataFrenchFrance0.7428571428571429
                                                      RT_STRING0x10c8900x46dataHebrewIsrael0.7428571428571429
                                                      RT_STRING0x10c8d80x46dataHungarianHungary0.7428571428571429
                                                      RT_STRING0x10c9200x46dataItalianItaly0.7428571428571429
                                                      RT_STRING0x10c9680x46dataJapaneseJapan0.7428571428571429
                                                      RT_STRING0x10c9b00x46dataKoreanNorth Korea0.7428571428571429
                                                      RT_STRING0x10c9b00x46dataKoreanSouth Korea0.7428571428571429
                                                      RT_STRING0x10c9f80x46dataDutchNetherlands0.7428571428571429
                                                      RT_STRING0x10ca400x46dataNorwegianNorway0.7428571428571429
                                                      RT_STRING0x10ca880x46dataPolishPoland0.7428571428571429
                                                      RT_STRING0x10cad00x46dataPortugueseBrazil0.7428571428571429
                                                      RT_STRING0x10cb180x46dataRussianRussia0.7428571428571429
                                                      RT_STRING0x10cb600x46dataSwedishSweden0.7428571428571429
                                                      RT_STRING0x10cba80x46dataThaiThailand0.7428571428571429
                                                      RT_STRING0x10cbf00x46dataChineseChina0.7428571428571429
                                                      RT_STRING0x10cc380x46dataPortuguesePortugal0.7428571428571429
                                                      RT_STRING0x10cc800x46data0.7428571428571429
                                                      RT_STRING0x10ccc80x46dataEnglishCanada0.7428571428571429
                                                      RT_STRING0x10cd100x1f8dataChineseTaiwan0.36706349206349204
                                                      RT_STRING0x10cf080x1f8dataCzechCzech Republic0.36706349206349204
                                                      RT_STRING0x10d1000x1f8dataDanishDenmark0.36706349206349204
                                                      RT_STRING0x10d2f80x1f8dataGermanGermany0.36706349206349204
                                                      RT_STRING0x10d4f00x1f8dataGreekGreece0.36706349206349204
                                                      RT_STRING0x10d6e80x1f8dataFinnishFinland0.36706349206349204
                                                      RT_STRING0x10d8e00x1f8dataFrenchFrance0.36706349206349204
                                                      RT_STRING0x10dad80x1f8dataHebrewIsrael0.36706349206349204
                                                      RT_STRING0x10dcd00x1f8dataHungarianHungary0.36706349206349204
                                                      RT_STRING0x10dec80x1f8dataItalianItaly0.36706349206349204
                                                      RT_STRING0x10e0c00x1f8dataJapaneseJapan0.36706349206349204
                                                      RT_STRING0x10e2b80x1f8dataKoreanNorth Korea0.36706349206349204
                                                      RT_STRING0x10e2b80x1f8dataKoreanSouth Korea0.36706349206349204
                                                      RT_STRING0x10e4b00x1f8dataDutchNetherlands0.36706349206349204
                                                      RT_STRING0x10e6a80x1f8dataNorwegianNorway0.36706349206349204
                                                      RT_STRING0x10e8a00x1f8dataPolishPoland0.36706349206349204
                                                      RT_STRING0x10ea980x1f8dataPortugueseBrazil0.36706349206349204
                                                      RT_STRING0x10ec900x1f8dataRussianRussia0.36706349206349204
                                                      RT_STRING0x10ee880x1f8dataSwedishSweden0.36706349206349204
                                                      RT_STRING0x10f0800x1f8dataThaiThailand0.36706349206349204
                                                      RT_STRING0x10f2780x1f8dataChineseChina0.36706349206349204
                                                      RT_STRING0x10f4700x1f8dataPortuguesePortugal0.36706349206349204
                                                      RT_STRING0x10f6680x1f8data0.36706349206349204
                                                      RT_STRING0x10f8600x1f8dataEnglishCanada0.36706349206349204
                                                      RT_STRING0x10fa580x86dataChineseTaiwan0.6567164179104478
                                                      RT_STRING0x10fae00x86dataCzechCzech Republic0.6567164179104478
                                                      RT_STRING0x10fb680x86dataDanishDenmark0.6567164179104478
                                                      RT_STRING0x10fbf00x86dataGermanGermany0.6567164179104478
                                                      RT_STRING0x10fc780x86dataGreekGreece0.6567164179104478
                                                      RT_STRING0x10fd000x86dataFinnishFinland0.6567164179104478
                                                      RT_STRING0x10fd880x86dataFrenchFrance0.6567164179104478
                                                      RT_STRING0x10fe100x86dataHebrewIsrael0.6567164179104478
                                                      RT_STRING0x10fe980x86dataHungarianHungary0.6567164179104478
                                                      RT_STRING0x10ff200x86dataItalianItaly0.6567164179104478
                                                      RT_STRING0x10ffa80x86dataJapaneseJapan0.6567164179104478
                                                      RT_STRING0x1100300x86dataKoreanNorth Korea0.6567164179104478
                                                      RT_STRING0x1100300x86dataKoreanSouth Korea0.6567164179104478
                                                      RT_STRING0x1100b80x86dataDutchNetherlands0.6567164179104478
                                                      RT_STRING0x1101400x86dataNorwegianNorway0.6567164179104478
                                                      RT_STRING0x1101c80x86dataPolishPoland0.6567164179104478
                                                      RT_STRING0x1102500x86dataPortugueseBrazil0.6567164179104478
                                                      RT_STRING0x1102d80x86dataRussianRussia0.6567164179104478
                                                      RT_STRING0x1103600x86dataSwedishSweden0.6567164179104478
                                                      RT_STRING0x1103e80x86dataThaiThailand0.6567164179104478
                                                      RT_STRING0x1104700x86dataChineseChina0.6567164179104478
                                                      RT_STRING0x1104f80x86dataPortuguesePortugal0.6567164179104478
                                                      RT_STRING0x1105800x86data0.6567164179104478
                                                      RT_STRING0x1106080x86dataEnglishCanada0.6567164179104478
                                                      RT_STRING0x1106900x82StarOffice Gallery theme p, 536899072 objects, 1st nEnglishUnited States0.7153846153846154
                                                      RT_STRING0x1107140x2adataEnglishUnited States0.5476190476190477
                                                      RT_STRING0x1107400x192dataEnglishUnited States0.48009950248756217
                                                      RT_STRING0x1108d40x4e2dataEnglishUnited States0.376
                                                      RT_STRING0x110db80x31adataEnglishUnited States0.2682619647355164
                                                      RT_STRING0x1110d40x2dcdataEnglishUnited States0.36885245901639346
                                                      RT_STRING0x1113b00x8adataEnglishUnited States0.6594202898550725
                                                      RT_STRING0x11143c0xacdataEnglishUnited States0.45348837209302323
                                                      RT_STRING0x1114e80xdedataEnglishUnited States0.536036036036036
                                                      RT_STRING0x1115c80x4c4dataEnglishUnited States0.3221311475409836
                                                      RT_STRING0x111a8c0x264dataEnglishUnited States0.3741830065359477
                                                      RT_STRING0x111cf00x2cdataEnglishUnited States0.5227272727272727
                                                      RT_STRING0x111d1c0x42dataEnglishUnited States0.6060606060606061
                                                      RT_ACCELERATOR0x111d600x50dataEnglishUnited States0.8
                                                      RT_RCDATA0x111db00xf7eceDelphi compiled form 'TfPNGMessage'0.22542053092953043
                                                      RT_GROUP_CURSOR0x209c800x22Lotus unknown worksheet or configuration, revision 0x2EnglishUnited States1.0294117647058822
                                                      RT_GROUP_CURSOR0x209ca40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                      RT_GROUP_CURSOR0x209cb80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                      RT_GROUP_CURSOR0x209ccc0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                      RT_GROUP_CURSOR0x209ce00x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                      RT_GROUP_CURSOR0x209cf40x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                      RT_GROUP_CURSOR0x209d080x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                      RT_GROUP_CURSOR0x209d1c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                      RT_GROUP_CURSOR0x209d300x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                      RT_GROUP_CURSOR0x209d440x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                      RT_GROUP_CURSOR0x209d580x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                      RT_GROUP_CURSOR0x209d6c0x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                      RT_GROUP_CURSOR0x209d800x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                      RT_GROUP_CURSOR0x209d940x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                      RT_GROUP_CURSOR0x209da80x14Lotus unknown worksheet or configuration, revision 0x1EnglishUnited States1.3
                                                      RT_GROUP_ICON0x209dbc0x22dataEnglishUnited States1.0
                                                      RT_VERSION0x209de00x32cdataEnglishUnited States0.4248768472906404
                                                      RT_ANIICON0x20a10c0x2dc73PC bitmap, Windows 3.x format, 24050 x 2 x 46, image size 188176, cbSize 187507, bits offset 540.679739956374962
                                                      RT_ANIICON0x237d800x4acfcPC bitmap, Windows 3.x format, 39057 x 2 x 32, image size 307263, cbSize 306428, bits offset 540.7979003224248437

                                                      Imports

                                                      DLLImport
                                                      KERNEL32.dllVirtualQuery, RtlUnwind, ExitProcess, TerminateProcess, GetStartupInfoA, GetCommandLineA, GetSystemTimeAsFileTime, SetEnvironmentVariableA, ExitThread, CreateThread, HeapReAlloc, SetStdHandle, GetFileType, HeapSize, HeapDestroy, HeapCreate, VirtualFree, IsBadWritePtr, QueryPerformanceCounter, GetTickCount, GetCurrentProcessId, GetSystemInfo, GetStringTypeW, GetStdHandle, UnhandledExceptionFilter, FreeEnvironmentStringsA, GetEnvironmentStrings, FreeEnvironmentStringsW, GetEnvironmentStringsW, SetHandleCount, GetTimeZoneInformation, GetUserDefaultLCID, EnumSystemLocalesA, IsValidLocale, IsValidCodePage, LCMapStringA, LCMapStringW, SetUnhandledExceptionFilter, IsBadReadPtr, IsBadCodePtr, GetLocaleInfoW, VirtualAlloc, VirtualProtect, HeapFree, HeapAlloc, FileTimeToSystemTime, GetOEMCP, GetCPInfo, TlsFree, LocalReAlloc, TlsSetValue, TlsAlloc, TlsGetValue, EnterCriticalSection, GlobalHandle, GlobalReAlloc, LeaveCriticalSection, InterlockedIncrement, WritePrivateProfileStringA, GlobalFlags, DeleteCriticalSection, InitializeCriticalSection, RaiseException, GetFullPathNameA, DuplicateHandle, GetFileSize, SetEndOfFile, UnlockFile, LockFile, FlushFileBuffers, SetFilePointer, WriteFile, ReadFile, InterlockedDecrement, GlobalGetAtomNameA, GlobalFindAtomA, lstrcatA, lstrcmpW, WaitForSingleObject, ResumeThread, GlobalAddAtomA, MulDiv, lstrcpynA, GetCurrentThreadId, GlobalAlloc, GlobalDeleteAtom, lstrcmpA, GetModuleFileNameA, ConvertDefaultLocale, EnumResourceLanguagesA, lstrcpyA, GlobalLock, GlobalUnlock, GlobalFree, FreeResource, GetThreadLocale, GetLocaleInfoA, GetACP, CreateFileA, GetFileTime, DosDateTimeToFileTime, LocalFileTimeToFileTime, SetFileTime, FileTimeToLocalFileTime, SetErrorMode, CreateDirectoryA, RemoveDirectoryA, CreateProcessA, GetExitCodeProcess, GetSystemDirectoryA, GetWindowsDirectoryA, GetTempPathA, LocalAlloc, GetCurrentProcess, GetVersionExA, GetCurrentThread, SetThreadPriority, GetLogicalDrives, GetDriveTypeA, GetShortPathNameA, FormatMessageA, LocalFree, GetDiskFreeSpaceA, SetLastError, GetVolumeInformationA, GetUserDefaultLangID, DeleteFileA, CopyFileA, SetFileAttributesA, GetFileAttributesA, FindFirstFileA, FindNextFileA, FindClose, FindResourceExA, CreateToolhelp32Snapshot, Process32First, Process32Next, CloseHandle, SetCurrentDirectoryA, GetModuleHandleA, GetCurrentDirectoryA, LoadLibraryA, GetProcAddress, FreeLibrary, Sleep, FindResourceA, LoadResource, LockResource, SizeofResource, CompareStringW, CompareStringA, lstrlenA, lstrcmpiA, GetVersion, GetLastError, WideCharToMultiByte, MultiByteToWideChar, GetStringTypeA, InterlockedExchange
                                                      USER32.dllGetMenuItemInfoA, InflateRect, GetSysColorBrush, LoadMenuA, DestroyMenu, UnpackDDElParam, ReuseDDElParam, ReleaseCapture, LoadAcceleratorsA, InvalidateRect, InsertMenuItemA, CreatePopupMenu, SetRectEmpty, BringWindowToTop, SetMenu, TranslateAcceleratorA, EndPaint, BeginPaint, GetWindowDC, ReleaseDC, GetDC, ClientToScreen, GrayStringA, DrawTextExA, DrawTextA, TabbedTextOutA, FillRect, RegisterWindowMessageA, WinHelpA, GetCapture, CreateWindowExA, GetClassLongA, GetClassInfoExA, GetClassNameA, SetPropA, GetPropA, RemovePropA, GetForegroundWindow, BeginDeferWindowPos, EndDeferWindowPos, GetTopWindow, UnhookWindowsHookEx, GetMessageTime, GetMessagePos, LoadIconA, MapWindowPoints, TrackPopupMenu, SetForegroundWindow, UpdateWindow, GetClientRect, GetMenu, GetSysColor, ScreenToClient, EqualRect, DeferWindowPos, GetClassInfoA, RegisterClassA, UnregisterClassA, CallWindowProcA, OffsetRect, IntersectRect, IsIconic, GetWindowPlacement, GetWindowRect, CopyRect, PtInRect, GetWindow, GetWindowTextA, SetWindowPos, SetFocus, ShowWindow, SetWindowLongA, GetDlgCtrlID, SetWindowTextA, IsDialogMessageA, SendDlgItemMessageA, SetMenuItemBitmaps, GetFocus, ModifyMenuA, EnableMenuItem, CheckMenuItem, GetMenuCheckMarkDimensions, LoadBitmapA, SetWindowsHookExA, CallNextHookEx, GetMessageA, IsWindowVisible, GetKeyState, GetCursorPos, ValidateRect, GetLastActivePopup, ShowOwnedPopups, SetCursor, GetMenuState, GetMenuItemID, GetMenuItemCount, GetSubMenu, PostMessageA, PostQuitMessage, GetDesktopWindow, GetActiveWindow, SetActiveWindow, GetSystemMetrics, CreateDialogIndirectParamA, AdjustWindowRectEx, DestroyWindow, IsWindow, GetWindowLongA, GetDlgItem, IsWindowEnabled, GetParent, GetNextDlgTabItem, SendMessageA, EndDialog, PeekMessageA, TranslateMessage, DispatchMessageA, wsprintfA, ExitWindowsEx, SystemParametersInfoA, DefWindowProcA, LoadImageA, MessageBoxA, LoadCursorA, EnableWindow, CharUpperA
                                                      GDI32.dllTextOutA, RectVisible, PtVisible, BitBlt, DeleteObject, CreateFontIndirectA, GetTextExtentPoint32A, CreateCompatibleBitmap, CreateSolidBrush, GetStockObject, CreateCompatibleDC, CreatePatternBrush, DeleteDC, ScaleWindowExtEx, SetWindowExtEx, ScaleViewportExtEx, SetViewportExtEx, OffsetViewportOrgEx, SetViewportOrgEx, SelectObject, Escape, GetPixel, GetDeviceCaps, SetMapMode, SetBkMode, RestoreDC, SaveDC, GetObjectA, SetBkColor, SetTextColor, GetClipBox, CreateBitmap, ExtTextOutA
                                                      comdlg32.dllGetFileTitleA
                                                      WINSPOOL.DRVOpenPrinterA, DocumentPropertiesA, ClosePrinter
                                                      ADVAPI32.dllRegEnumKeyExA, LookupPrivilegeValueA, OpenProcessToken, FreeSid, RevertToSelf, AccessCheck, IsValidSecurityDescriptor, SetSecurityDescriptorOwner, SetSecurityDescriptorGroup, SetSecurityDescriptorDacl, AddAccessAllowedAce, RegQueryValueA, RegEnumKeyA, RegOpenKeyA, RegCreateKeyExA, RegSetValueExA, AdjustTokenPrivileges, RegDeleteKeyA, RegQueryValueExA, RegCloseKey, RegOpenKeyExA, ImpersonateSelf, OpenThreadToken, AllocateAndInitializeSid, InitializeSecurityDescriptor, GetLengthSid, InitializeAcl
                                                      SHELL32.dllDragFinish, DragQueryFileA, ShellExecuteA
                                                      COMCTL32.dllImageList_Draw, ImageList_GetImageInfo, ImageList_Destroy
                                                      SHLWAPI.dllPathFindFileNameA, PathStripToRootA, PathFindExtensionA, PathIsUNCA
                                                      ole32.dllCoUninitialize, CoCreateInstance, CoInitialize
                                                      OLEAUT32.dllVariantClear, VariantInit, VariantChangeType
                                                      VERSION.dllGetFileVersionInfoA, VerQueryValueA, GetFileVersionInfoSizeA

                                                      Possible Origin

                                                      Language of compilation systemCountry where language is spokenMap
                                                      EnglishUnited States
                                                      ChineseTaiwan
                                                      CzechCzech Republic
                                                      DanishDenmark
                                                      GermanGermany
                                                      GreekGreece
                                                      FinnishFinland
                                                      FrenchFrance
                                                      HebrewIsrael
                                                      HungarianHungary
                                                      ItalianItaly
                                                      JapaneseJapan
                                                      KoreanNorth Korea
                                                      KoreanSouth Korea
                                                      DutchNetherlands
                                                      NorwegianNorway
                                                      PolishPoland
                                                      PortugueseBrazil
                                                      RussianRussia
                                                      SwedishSweden
                                                      ThaiThailand
                                                      ChineseChina
                                                      PortuguesePortugal
                                                      EnglishCanada

                                                      Network Behavior

                                                      Suricata IDS Alerts

                                                      TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                      2024-12-12T17:52:16.783769+01002032776ET MALWARE Remcos 3.x Unencrypted Checkin1192.168.2.949709181.131.217.24430201TCP
                                                      2024-12-12T17:52:27.054987+01002032777ET MALWARE Remcos 3.x Unencrypted Server Response1181.131.217.24430201192.168.2.949709TCP
                                                      2024-12-12T17:52:28.865468+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.949710178.237.33.5080TCP
                                                      2024-12-12T17:54:31.751110+01002032777ET MALWARE Remcos 3.x Unencrypted Server Response1181.131.217.24430201192.168.2.949709TCP

                                                      Network Port Distribution

                                                      TCP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Dec 12, 2024 17:52:16.661534071 CET4970930201192.168.2.9181.131.217.244
                                                      Dec 12, 2024 17:52:16.782365084 CET3020149709181.131.217.244192.168.2.9
                                                      Dec 12, 2024 17:52:16.782547951 CET4970930201192.168.2.9181.131.217.244
                                                      Dec 12, 2024 17:52:16.783768892 CET4970930201192.168.2.9181.131.217.244
                                                      Dec 12, 2024 17:52:16.904417038 CET3020149709181.131.217.244192.168.2.9
                                                      Dec 12, 2024 17:52:27.054986954 CET3020149709181.131.217.244192.168.2.9
                                                      Dec 12, 2024 17:52:27.056724072 CET4970930201192.168.2.9181.131.217.244
                                                      Dec 12, 2024 17:52:27.176574945 CET3020149709181.131.217.244192.168.2.9
                                                      Dec 12, 2024 17:52:27.289573908 CET3020149709181.131.217.244192.168.2.9
                                                      Dec 12, 2024 17:52:27.347744942 CET4970930201192.168.2.9181.131.217.244
                                                      Dec 12, 2024 17:52:27.487401009 CET4971080192.168.2.9178.237.33.50
                                                      Dec 12, 2024 17:52:27.607574940 CET8049710178.237.33.50192.168.2.9
                                                      Dec 12, 2024 17:52:27.607657909 CET4971080192.168.2.9178.237.33.50
                                                      Dec 12, 2024 17:52:27.607939005 CET4971080192.168.2.9178.237.33.50
                                                      Dec 12, 2024 17:52:27.749946117 CET8049710178.237.33.50192.168.2.9
                                                      Dec 12, 2024 17:52:28.865305901 CET8049710178.237.33.50192.168.2.9
                                                      Dec 12, 2024 17:52:28.865468025 CET4971080192.168.2.9178.237.33.50
                                                      Dec 12, 2024 17:52:28.996014118 CET4970930201192.168.2.9181.131.217.244
                                                      Dec 12, 2024 17:52:29.118217945 CET3020149709181.131.217.244192.168.2.9
                                                      Dec 12, 2024 17:52:29.872725964 CET8049710178.237.33.50192.168.2.9
                                                      Dec 12, 2024 17:52:29.872833014 CET4971080192.168.2.9178.237.33.50
                                                      Dec 12, 2024 17:52:31.682352066 CET3020149709181.131.217.244192.168.2.9
                                                      Dec 12, 2024 17:52:31.847748995 CET4970930201192.168.2.9181.131.217.244
                                                      Dec 12, 2024 17:52:31.938200951 CET4970930201192.168.2.9181.131.217.244
                                                      Dec 12, 2024 17:52:32.058422089 CET3020149709181.131.217.244192.168.2.9
                                                      Dec 12, 2024 17:53:01.718439102 CET3020149709181.131.217.244192.168.2.9
                                                      Dec 12, 2024 17:53:01.763232946 CET4970930201192.168.2.9181.131.217.244
                                                      Dec 12, 2024 17:53:01.883004904 CET3020149709181.131.217.244192.168.2.9
                                                      Dec 12, 2024 17:53:31.727884054 CET3020149709181.131.217.244192.168.2.9
                                                      Dec 12, 2024 17:53:31.744604111 CET4970930201192.168.2.9181.131.217.244
                                                      Dec 12, 2024 17:53:31.866110086 CET3020149709181.131.217.244192.168.2.9
                                                      Dec 12, 2024 17:54:01.750376940 CET3020149709181.131.217.244192.168.2.9
                                                      Dec 12, 2024 17:54:01.751732111 CET4970930201192.168.2.9181.131.217.244
                                                      Dec 12, 2024 17:54:01.871747971 CET3020149709181.131.217.244192.168.2.9
                                                      Dec 12, 2024 17:54:17.335347891 CET4971080192.168.2.9178.237.33.50
                                                      Dec 12, 2024 17:54:17.769928932 CET4971080192.168.2.9178.237.33.50
                                                      Dec 12, 2024 17:54:18.582324982 CET4971080192.168.2.9178.237.33.50
                                                      Dec 12, 2024 17:54:19.879291058 CET4971080192.168.2.9178.237.33.50
                                                      Dec 12, 2024 17:54:22.514280081 CET4971080192.168.2.9178.237.33.50
                                                      Dec 12, 2024 17:54:27.725935936 CET4971080192.168.2.9178.237.33.50
                                                      Dec 12, 2024 17:54:31.751110077 CET3020149709181.131.217.244192.168.2.9
                                                      Dec 12, 2024 17:54:31.752582073 CET4970930201192.168.2.9181.131.217.244
                                                      Dec 12, 2024 17:54:31.873646021 CET3020149709181.131.217.244192.168.2.9
                                                      Dec 12, 2024 17:54:38.097639084 CET4971080192.168.2.9178.237.33.50
                                                      Dec 12, 2024 17:55:01.775218964 CET3020149709181.131.217.244192.168.2.9
                                                      Dec 12, 2024 17:55:01.776787996 CET4970930201192.168.2.9181.131.217.244
                                                      Dec 12, 2024 17:55:01.897037983 CET3020149709181.131.217.244192.168.2.9
                                                      Dec 12, 2024 17:55:31.770566940 CET3020149709181.131.217.244192.168.2.9
                                                      Dec 12, 2024 17:55:31.774127960 CET4970930201192.168.2.9181.131.217.244
                                                      Dec 12, 2024 17:55:31.894192934 CET3020149709181.131.217.244192.168.2.9
                                                      Dec 12, 2024 17:56:01.751303911 CET3020149709181.131.217.244192.168.2.9
                                                      Dec 12, 2024 17:56:01.751988888 CET4970930201192.168.2.9181.131.217.244
                                                      Dec 12, 2024 17:56:01.871809006 CET3020149709181.131.217.244192.168.2.9

                                                      UDP Packets

                                                      TimestampSource PortDest PortSource IPDest IP
                                                      Dec 12, 2024 17:52:16.461904049 CET6165653192.168.2.91.1.1.1
                                                      Dec 12, 2024 17:52:16.626835108 CET53616561.1.1.1192.168.2.9
                                                      Dec 12, 2024 17:52:27.345009089 CET4922253192.168.2.91.1.1.1
                                                      Dec 12, 2024 17:52:27.482811928 CET53492221.1.1.1192.168.2.9

                                                      DNS Queries

                                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                      Dec 12, 2024 17:52:16.461904049 CET192.168.2.91.1.1.10x6000Standard query (0)navegacionseguracol24vip.orgA (IP address)IN (0x0001)false
                                                      Dec 12, 2024 17:52:27.345009089 CET192.168.2.91.1.1.10xe2f4Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                      DNS Answers

                                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                      Dec 12, 2024 17:52:16.626835108 CET1.1.1.1192.168.2.90x6000No error (0)navegacionseguracol24vip.org181.131.217.244A (IP address)IN (0x0001)false
                                                      Dec 12, 2024 17:52:27.482811928 CET1.1.1.1192.168.2.90xe2f4No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                      HTTP Request Dependency Graph

                                                      • geoplugin.net

                                                      HTTP Packets

                                                      Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                      0192.168.2.949710178.237.33.50803348C:\Users\user\Desktop\IXCbn4ZcdS.exe
                                                      TimestampBytes transferredDirectionData
                                                      Dec 12, 2024 17:52:27.607939005 CET71OUTGET /json.gp HTTP/1.1
                                                      Host: geoplugin.net
                                                      Cache-Control: no-cache
                                                      Dec 12, 2024 17:52:28.865305901 CET1171INHTTP/1.1 200 OK
                                                      date: Thu, 12 Dec 2024 16:52:28 GMT
                                                      server: Apache
                                                      content-length: 963
                                                      content-type: application/json; charset=utf-8
                                                      cache-control: public, max-age=300
                                                      access-control-allow-origin: *
                                                      Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                      Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7503", "geoplugin_longitude":"-74.0014", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":null, "geoplugin_currencySymbol_UTF8":"", "geoplugin_currencyConverter":0}


                                                      Statistics

                                                      CPU Usage

                                                      Click to jump to process

                                                      Memory Usage

                                                      Click to jump to process

                                                      High Level Behavior Distribution

                                                      Click to dive into process behavior distribution

                                                      Behavior

                                                      Click to jump to process

                                                      System Behavior

                                                      General

                                                      Target ID:0
                                                      Start time:11:51:54
                                                      Start date:12/12/2024
                                                      Path:C:\Users\user\Desktop\IXCbn4ZcdS.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\IXCbn4ZcdS.exe"
                                                      Imagebase:0x400000
                                                      File size:2'457'600 bytes
                                                      MD5 hash:B1A62F3FD3A9A4A06C6BBFFBB1CBB463
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1650019041.0000000002300000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1650019041.0000000002300000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1650019041.0000000002300000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1650019041.0000000002300000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000002.1650019041.0000000002300000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000002.1650019041.0000000002300000.00000004.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.1650078049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.1650078049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.1650078049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.1650078049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000000.00000002.1650078049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000000.00000002.1650078049.00000000023D0000.00000040.00001000.00020000.00000000.sdmp, Author: ditekSHen
                                                      Reputation:low
                                                      Has exited:true

                                                      General

                                                      Target ID:5
                                                      Start time:11:52:15
                                                      Start date:12/12/2024
                                                      Path:C:\Users\user\Desktop\IXCbn4ZcdS.exe
                                                      Wow64 process (32bit):true
                                                      Commandline:"C:\Users\user\Desktop\IXCbn4ZcdS.exe"
                                                      Imagebase:0x400000
                                                      File size:2'457'600 bytes
                                                      MD5 hash:B1A62F3FD3A9A4A06C6BBFFBB1CBB463
                                                      Has elevated privileges:true
                                                      Has administrator privileges:true
                                                      Programmed in:C, C++ or other language
                                                      Yara matches:
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.3860807197.0000000000A7A000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                      • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                      • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                                                      Reputation:low
                                                      Has exited:false

                                                      Disassembly

                                                      Reset < >

                                                        Execution Graph

                                                        Execution Coverage:0.1%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:0%
                                                        Total number of Nodes:11
                                                        Total number of Limit Nodes:0
                                                        execution_graph 26826 409f31 26827 409f54 ExitProcess 26826->26827 26829 4080e9 26836 408106 26829->26836 26831 4080fd VirtualProtect 26833 4081a1 26831->26833 26834 4083e9 11 API calls 26833->26834 26835 4083e2 26834->26835 26837 408114 VirtualProtect 26836->26837 26839 4081a1 26837->26839 26842 4083e9 11 API calls 26839->26842

                                                        Executed Functions

                                                        Function 00407838 Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 228COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: 399H$E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-3789106708
                                                        • Opcode ID: 43206fe41488ad031f622006b41499216d29d0ecdbb3ff78eb01a6a16fb295d2
                                                        • Instruction ID: 38d25b97abc0fdd7968672db8507cd493926007688e18ba7c44a39884afd6b99
                                                        • Opcode Fuzzy Hash: 43206fe41488ad031f622006b41499216d29d0ecdbb3ff78eb01a6a16fb295d2
                                                        • Instruction Fuzzy Hash: 6D8125B2E082549EF7208A25DC48BEBBB74EB81314F0541FED44C6B681D67D6AC5CB62
                                                        Function 00406D2E Relevance: 23.0, APIs: 1, Strings: 12, Instructions: 218memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 37 406d2e-407055 39 407057-407093 37->39 40 407098-4070f6 37->40 44 40817a-40819f VirtualProtect 39->44 41 4070f8-407136 40->41 42 40713b-407150 40->42 45 40762a-407631 41->45 46 407152-40715e 42->46 47 407163-407190 call 407180 42->47 48 4081a1-4081d3 44->48 49 4081d8-40820a 44->49 50 4076d3-4076da 45->50 51 407637-407690 45->51 46->45 47->45 53 4082eb-4083e8 call 4083e9 48->53 49->53 50->44 51->50 60 407692-4076ce 51->60 60->44
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$Windows 95$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-2803789783
                                                        • Opcode ID: 18730e60704af009397957e80dff91851da5fab9260961b91c4a36c10b714317
                                                        • Instruction ID: 413f532470e409d3223245e6e942a579086a622ea65dfde013636038b9eb64ca
                                                        • Opcode Fuzzy Hash: 18730e60704af009397957e80dff91851da5fab9260961b91c4a36c10b714317
                                                        • Instruction Fuzzy Hash: 298128B2D081649FF7208624DC48BEB7B78EB91310F0580FAD94D66681D27D5FC68FA6
                                                        Function 004077E6 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 163COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: <GA3$E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-2107300711
                                                        • Opcode ID: a9e9adeb33584389557fe3907835879e72b5bcb104c6e5b686ee7f825c6fcdd5
                                                        • Instruction ID: fac7f11215e0dacb6d4be7fc2ad1b74564d0fac7eb39329dc7606b0e1037614c
                                                        • Opcode Fuzzy Hash: a9e9adeb33584389557fe3907835879e72b5bcb104c6e5b686ee7f825c6fcdd5
                                                        • Instruction Fuzzy Hash: 625145B2E082949AF3208629DC48BDB7B759BC2704F0541FED44C6B681D27D6BC68B62
                                                        Function 0040721E Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 288memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 272 40721e-40723d 274 407282-40734f 272->274 275 40723f-40727d 272->275 278 407355-40744b call 4073d0 274->278 279 40761e-407624 274->279 282 40762a-407631 275->282 297 407451-40745e 278->297 298 4074d9-407524 278->298 279->282 284 4076d3-4076da 282->284 285 407637-407690 282->285 286 40817a-40819f VirtualProtect 284->286 285->284 294 407692-4076ce 285->294 288 4081a1-4081d3 286->288 289 4081d8-40820a 286->289 292 4082eb-4083e8 call 4083e9 288->292 289->292 294->286 297->298 304 407460-40747a call 40747b 297->304 301 407535-407586 298->301 302 407526-407530 298->302 307 407594-4075c6 call 4075b0 301->307 308 407588-407592 301->308 306 4075d0-4075d7 302->306 304->279 312 407619 306->312 313 4075d9-40760e call 407607 306->313 307->306 308->306 312->312
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-3128998556
                                                        • Opcode ID: 715d97dbd1c8bc1b415f4b04c8fb44841eaec6216c3e3215001531c67bf9d388
                                                        • Instruction ID: 3442637705896c69c1099649af46c067d0ca3046a17f98b3f1b75ee53bee1da3
                                                        • Opcode Fuzzy Hash: 715d97dbd1c8bc1b415f4b04c8fb44841eaec6216c3e3215001531c67bf9d388
                                                        • Instruction Fuzzy Hash: 25A148B2D041149BF7248A18DC44FEB7B78EB80310F1481FEDA4D67680D67D6FC68AA6
                                                        Function 004076C0 Relevance: 21.3, APIs: 1, Strings: 11, Instructions: 256memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-3128998556
                                                        • Opcode ID: 7aa3946d40d73112227e062bbc49828eefba405d6b6528203563c195bd534ee6
                                                        • Instruction ID: 185b5a7743c5e82113e5136b5fe76699095a0cfb95583e7a028b2123d05a126e
                                                        • Opcode Fuzzy Hash: 7aa3946d40d73112227e062bbc49828eefba405d6b6528203563c195bd534ee6
                                                        • Instruction Fuzzy Hash: 569136B2E082949EF3208625DC54BEB7B78DBC2314F1541FED44D6B581C27D6AC68B63
                                                        Function 00407754 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 223COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 321 407754-4077ca 324 40780a-40783f call 407838 321->324 325 4077cc-407805 321->325 330 407b96-407c4f call 407be2 324->330 325->330 335 407c51-407c8f call 407c71 330->335 336 407c94-407ca6 330->336 340 40816e-40819f VirtualProtect 335->340 337 407ca8-407cb4 336->337 338 407cb9-407d0a call 407cc9 336->338 337->340 347 407d0c-407d2b call 407d2e 338->347 348 407d4f-407d7c call 407d7d 338->348 345 4081a1-4081d3 340->345 346 4081d8-40820a 340->346 349 4082eb-4083e8 call 4083e9 345->349 346->349 347->340
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-3128998556
                                                        • Opcode ID: 3fa6522d4e31963c848963d780d4f8139eec9ecda985a9a22eac8212943d30d9
                                                        • Instruction ID: 435c5e8b1c3b6ec31127b89dc1fda6fb23582743a7e4104e37281de996172447
                                                        • Opcode Fuzzy Hash: 3fa6522d4e31963c848963d780d4f8139eec9ecda985a9a22eac8212943d30d9
                                                        • Instruction Fuzzy Hash: 457157B2E081549EF3208629DC48BEB7B79EBC1714F1541FED44CA7681D27C6BC68A63
                                                        Function 00407728 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 221COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 361 407728-40772f 362 407730-407758 call 407754 361->362 366 40775a-4077ca 362->366 369 40780a-40783f call 407838 366->369 370 4077cc-407805 366->370 375 407b96-407c4f call 407be2 369->375 370->375 380 407c51-407c8f call 407c71 375->380 381 407c94-407ca6 375->381 385 40816e-40819f VirtualProtect 380->385 382 407ca8-407cb4 381->382 383 407cb9-407d0a call 407cc9 381->383 382->385 392 407d0c-407d2b call 407d2e 383->392 393 407d4f-407d7c call 407d7d 383->393 390 4081a1-4081d3 385->390 391 4081d8-40820a 385->391 394 4082eb-4083e8 call 4083e9 390->394 391->394 392->385
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 0-3128998556
                                                        • Opcode ID: dbab0c0325162a607ccdb2674a3d2c7a06bce3390f28ccfe30b799b0b5c152b6
                                                        • Instruction ID: 024eafd175b41ff05ef49be2b069e92083ed7f55d8fff3195348dcedbbbceec2
                                                        • Opcode Fuzzy Hash: dbab0c0325162a607ccdb2674a3d2c7a06bce3390f28ccfe30b799b0b5c152b6
                                                        • Instruction Fuzzy Hash: EF715AB2E082549EF3208625DC44BEB7B79EBC1714F1541FED44CAB681C27D6BC68B62
                                                        Function 00407788 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 194COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 406 407788-4077ca 407 40780a-40783f call 407838 406->407 408 4077cc-407805 406->408 413 407b96-407c4f call 407be2 407->413 408->413 418 407c51-407c8f call 407c71 413->418 419 407c94-407ca6 413->419 423 40816e-40819f VirtualProtect 418->423 420 407ca8-407cb4 419->420 421 407cb9-407d0a call 407cc9 419->421 420->423 430 407d0c-407d2b call 407d2e 421->430 431 407d4f-407d7c call 407d7d 421->431 428 4081a1-4081d3 423->428 429 4081d8-40820a 423->429 432 4082eb-4083e8 call 4083e9 428->432 429->432 430->423
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-3128998556
                                                        • Opcode ID: 6f781dbbcb98b5bd3218133929705f1293097c504d40497712b78ddc8c3fb1cd
                                                        • Instruction ID: dbd6d045c3aed855150fffc319fca72cc3b404106d7bf839a8632a0621cf0a42
                                                        • Opcode Fuzzy Hash: 6f781dbbcb98b5bd3218133929705f1293097c504d40497712b78ddc8c3fb1cd
                                                        • Instruction Fuzzy Hash: 106159B2E081549EF3208629DC48BEB7B79EBC1704F1541FED44C6B681D27D6BC68B62
                                                        Function 00407AB1 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 181COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 444 407ab1-407c4f call 407be2 450 407c51-407c8f call 407c71 444->450 451 407c94-407ca6 444->451 455 40816e-40819f VirtualProtect 450->455 452 407ca8-407cb4 451->452 453 407cb9-407d0a call 407cc9 451->453 452->455 462 407d0c-407d2b call 407d2e 453->462 463 407d4f-407d7c call 407d7d 453->463 460 4081a1-4081d3 455->460 461 4081d8-40820a 455->461 464 4082eb-4083e8 call 4083e9 460->464 461->464 462->455
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-3128998556
                                                        • Opcode ID: 7ce19b6bb07a40e30114917400480d95aafeac1fc0b6913e807f2a8f7f6dbc6a
                                                        • Instruction ID: 73ce2843162455ef4467f38436a21d95a306b9e26f373d78438d071ee0ce14e6
                                                        • Opcode Fuzzy Hash: 7ce19b6bb07a40e30114917400480d95aafeac1fc0b6913e807f2a8f7f6dbc6a
                                                        • Instruction Fuzzy Hash: 765146B2E082949EF3208629DC48BDB7B79DBC1714F0541FED44C6B6C1D27D5AC68B62
                                                        Function 00407BE2 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 178memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-3128998556
                                                        • Opcode ID: 6283319593d5d1ffb57279aaf1fbf3db40e6b5db538b17cc76b0419f0774718f
                                                        • Instruction ID: 3f444a1156fcd45e006676699027f190ea77c2db41aee65d0fa863e5ad27fdee
                                                        • Opcode Fuzzy Hash: 6283319593d5d1ffb57279aaf1fbf3db40e6b5db538b17cc76b0419f0774718f
                                                        • Instruction Fuzzy Hash: EF5124B2E081689BF7208629DC44BEB7B74ABD1700F0541FED48D27281D67C6BC6CB66
                                                        Function 004077D8 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 171COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-3128998556
                                                        • Opcode ID: 315126d0db7f5673ac00a67d565afa915529af42fd38ec861305d5232c1e0a52
                                                        • Instruction ID: 960bf5297d0dbdccac61117451872fab33d22a87df3cd199491786073be5e7e6
                                                        • Opcode Fuzzy Hash: 315126d0db7f5673ac00a67d565afa915529af42fd38ec861305d5232c1e0a52
                                                        • Instruction Fuzzy Hash: C75158B2E081549AF3208629CC48BDB7B75DBD1704F0541FED44C6B681D27D6BC6CB62
                                                        Function 00407B7D Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 163COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-3128998556
                                                        • Opcode ID: b3761579d3190acb6dbb5696c68d2b78489fcda23dbebe28d91b358e7a63cc86
                                                        • Instruction ID: 1ae5ab3d321769f83ff59169256e9f88974a77073e6020813c97bcd70f6f30ae
                                                        • Opcode Fuzzy Hash: b3761579d3190acb6dbb5696c68d2b78489fcda23dbebe28d91b358e7a63cc86
                                                        • Instruction Fuzzy Hash: 1E5146B2E081949AF3208639DC48BDB7B759BC2704F0541FED44C6B681D27D6BC6CB62
                                                        Function 00407BEF Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 133memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-3128998556
                                                        • Opcode ID: 2757f1abd699e07e72b26c7a7ad16a7dab18f1fe60fd99c17b3da33a61c102bd
                                                        • Instruction ID: 28493bb09a7a13251cfcd48612f4968c77ee99bbf498950642f49b6880e49205
                                                        • Opcode Fuzzy Hash: 2757f1abd699e07e72b26c7a7ad16a7dab18f1fe60fd99c17b3da33a61c102bd
                                                        • Instruction Fuzzy Hash: AD4106B2E081A49AF7208629DC48BDBBA759BD2700F0541FED48C6B281D67D1FC5CB66
                                                        Function 00408C69 Relevance: 1.8, APIs: 1, Instructions: 275COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ExitProcess.KERNEL32(00000000,00409AB5,?,00000000,004099CF,00000000,00000001,00000000,?,00409774,?,?,?,?,?,?), ref: 00409F62
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: 9dff36b2aa3265fd0d01d69e950f9a77840ec53acd6c4a6188a5a59c0c822d0f
                                                        • Instruction ID: 308930e51cde5ef31ee3d1945e25e1d888ac0892d0987f8318f552a58aff471d
                                                        • Opcode Fuzzy Hash: 9dff36b2aa3265fd0d01d69e950f9a77840ec53acd6c4a6188a5a59c0c822d0f
                                                        • Instruction Fuzzy Hash: BA9105B2D081149AE7248B25DD15BFB7B75EF90310F1441BFD94EB6280EA3C5EC2CA66
                                                        Function 0040899B Relevance: 1.8, APIs: 1, Instructions: 272COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ExitProcess.KERNEL32(00000000,00409AB5,?,00000000,004099CF,00000000,00000001,00000000,?,00409774,?,?,?,?,?,?), ref: 00409F62
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: 75e63db53393a030387f50294760de41d11df0b519ff2eeaf28b3d22a77d8fe6
                                                        • Instruction ID: 4778c757d58a76713209075cd10ea6c2df087aee3c186b242ae775579daf6bd6
                                                        • Opcode Fuzzy Hash: 75e63db53393a030387f50294760de41d11df0b519ff2eeaf28b3d22a77d8fe6
                                                        • Instruction Fuzzy Hash: F59147F2D081149AF7244A14ED55BFB7A38EB90310F2441BFE94E66280DA3D5EC6CA67
                                                        Function 00406F1B Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 157COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 96 406f1b-407055 call 406f87 105 407057-407093 96->105 106 407098-4070f6 96->106 110 40817a-40819f VirtualProtect 105->110 107 4070f8-407136 106->107 108 40713b-407150 106->108 111 40762a-407631 107->111 112 407152-40715e 108->112 113 407163-407190 call 407180 108->113 114 4081a1-4081d3 110->114 115 4081d8-40820a 110->115 116 4076d3-4076da 111->116 117 407637-407690 111->117 112->111 113->111 119 4082eb-4083e8 call 4083e9 114->119 115->119 116->110 117->116 126 407692-4076ce 117->126 126->110
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$Windows 95$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-2803789783
                                                        • Opcode ID: 590938db7bcb09b86d27c5a26da773cb0375f83c43086793f8998a6cf6d2d370
                                                        • Instruction ID: b38ea10d31021031c78aac716d5b3984f8a2b51579dd0fff08dea96d2a11cd17
                                                        • Opcode Fuzzy Hash: 590938db7bcb09b86d27c5a26da773cb0375f83c43086793f8998a6cf6d2d370
                                                        • Instruction Fuzzy Hash: 765139B2D08154AEF7208625DC48BFB7A78DB81710F0541FEE94D66280D2BD1FCA8B66
                                                        Function 0040803F Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 154memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 130 40803f-408068 131 408079-4080ca 130->131 132 40806a-408074 130->132 134 4080d8-4080e8 call 4080e9 131->134 135 4080cc-4080d6 131->135 133 408114-40811b 132->133 137 40815d 133->137 138 40811d-40815b 133->138 134->133 135->133 140 40816e-40819f VirtualProtect 137->140 138->140 142 4081a1-4081d3 140->142 143 4081d8-40820a 140->143 144 4082eb-4083e8 call 4083e9 142->144 143->144
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$I8G8$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-1341723047
                                                        • Opcode ID: b78b0b9b40b9e1a15db0c5cc59bb60876e118e79761d38b1d600f8f93269e11b
                                                        • Instruction ID: 37bb716bc5b3757506565636399755578f6efe7670953ce8586f0611c5c4801a
                                                        • Opcode Fuzzy Hash: b78b0b9b40b9e1a15db0c5cc59bb60876e118e79761d38b1d600f8f93269e11b
                                                        • Instruction Fuzzy Hash: 87516AB2E085949AF7208625DC88BEFBB75DBC2300F1581FED48C66681C67D1BC5CB65
                                                        Function 00406F87 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 126memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 150 406f87-407055 152 407057-407093 150->152 153 407098-4070f6 150->153 157 40817a-40819f VirtualProtect 152->157 154 4070f8-407136 153->154 155 40713b-407150 153->155 158 40762a-407631 154->158 159 407152-40715e 155->159 160 407163-407190 call 407180 155->160 161 4081a1-4081d3 157->161 162 4081d8-40820a 157->162 163 4076d3-4076da 158->163 164 407637-407690 158->164 159->158 160->158 166 4082eb-4083e8 call 4083e9 161->166 162->166 163->157 164->163 173 407692-4076ce 164->173 173->157
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$Windows 95$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-2803789783
                                                        • Opcode ID: 1f20d44a77446ac32e895576fb26f4add1adb955603bce4faa4b769ea936c690
                                                        • Instruction ID: 75591dcd9e145e401ceb2422f0c2f89caea3d4af7aa64d39be672d9fa122fde0
                                                        • Opcode Fuzzy Hash: 1f20d44a77446ac32e895576fb26f4add1adb955603bce4faa4b769ea936c690
                                                        • Instruction Fuzzy Hash: 1B41F8A2D081949AF7204225DC48BEB7A78DB81710F0541FED54D66680D6BD1FC9CBB6
                                                        Function 00406C97 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 119memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 177 406c97-407055 180 407057-407093 177->180 181 407098-4070f6 177->181 185 40817a-40819f VirtualProtect 180->185 182 4070f8-407136 181->182 183 40713b-407150 181->183 186 40762a-407631 182->186 187 407152-40715e 183->187 188 407163-407190 call 407180 183->188 189 4081a1-4081d3 185->189 190 4081d8-40820a 185->190 191 4076d3-4076da 186->191 192 407637-407690 186->192 187->186 188->186 194 4082eb-4083e8 call 4083e9 189->194 190->194 191->185 192->191 201 407692-4076ce 192->201 201->185
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$Windows 95$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-2803789783
                                                        • Opcode ID: b1b790b96d09aa1d38d4f00f2f96a3165a417f9ee3c83bb9fa71984bf432b653
                                                        • Instruction ID: 7b6885819b8926fe72e47db759e7845f755c480065ba35798613bf1062133355
                                                        • Opcode Fuzzy Hash: b1b790b96d09aa1d38d4f00f2f96a3165a417f9ee3c83bb9fa71984bf432b653
                                                        • Instruction Fuzzy Hash: 5A4127A2D081A49AF7204229DC48BEB7E78DB91714F0541FED54D262C0D6BE1FC9CBB6
                                                        Function 00406CA8 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 115memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 205 406ca8-407055 208 407057-407093 205->208 209 407098-4070f6 205->209 213 40817a-40819f VirtualProtect 208->213 210 4070f8-407136 209->210 211 40713b-407150 209->211 214 40762a-407631 210->214 215 407152-40715e 211->215 216 407163-407190 call 407180 211->216 217 4081a1-4081d3 213->217 218 4081d8-40820a 213->218 219 4076d3-4076da 214->219 220 407637-407690 214->220 215->214 216->214 222 4082eb-4083e8 call 4083e9 217->222 218->222 219->213 220->219 229 407692-4076ce 220->229 229->213
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$Windows 95$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-2803789783
                                                        • Opcode ID: f4eff08d5bc00704272db6a0585ca5c57dc15c9fa39ccebcca558a6cf3f9cc91
                                                        • Instruction ID: ff832223598194f66dd6ca97798de79624113893b31a89035ec89326dfeec2a3
                                                        • Opcode Fuzzy Hash: f4eff08d5bc00704272db6a0585ca5c57dc15c9fa39ccebcca558a6cf3f9cc91
                                                        • Instruction Fuzzy Hash: DC4118A2D081A49AF7204229DC48BEB7E78DB91714F0541FED54D26180C6BD1FC9CBB6
                                                        Function 00406D40 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 113memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 233 406d40-407055 235 407057-407093 233->235 236 407098-4070f6 233->236 240 40817a-40819f VirtualProtect 235->240 237 4070f8-407136 236->237 238 40713b-407150 236->238 241 40762a-407631 237->241 242 407152-40715e 238->242 243 407163-407190 call 407180 238->243 244 4081a1-4081d3 240->244 245 4081d8-40820a 240->245 246 4076d3-4076da 241->246 247 407637-407690 241->247 242->241 243->241 249 4082eb-4083e8 call 4083e9 244->249 245->249 246->240 247->246 256 407692-4076ce 247->256 256->240
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$Windows 95$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-2803789783
                                                        • Opcode ID: 8370d6d2e47ae62d291a750cd3a64e561f9e109926cd39eab82b9b01c27d5a5a
                                                        • Instruction ID: 6970896d5bc101ab245dd4e9e892e030b7df7aa52ce9054d29b60be10e75ef9f
                                                        • Opcode Fuzzy Hash: 8370d6d2e47ae62d291a750cd3a64e561f9e109926cd39eab82b9b01c27d5a5a
                                                        • Instruction Fuzzy Hash: A44128A2D081A4AAF7204225DC48BEB7E78DB81710F0541FED54D26181C6BD1FC9CBB6
                                                        Function 00407035 Relevance: 22.9, APIs: 1, Strings: 12, Instructions: 107memoryCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 260 407035-407038 261 407070-40819f VirtualProtect 260->261 262 40703a-407045 260->262 264 4081a1-4081d3 261->264 265 4081d8-40820a 261->265 262->261 266 4082eb-4083e8 call 4083e9 264->266 265->266
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$Windows 95$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-2803789783
                                                        • Opcode ID: b6f286daec4d733625d7b1b9656a0b6007321b07cc5ff2bd4bde8026a13923b2
                                                        • Instruction ID: 581a54eb2efc62a599551833137221f83da0cb474543ea0ee5b77de35b239d33
                                                        • Opcode Fuzzy Hash: b6f286daec4d733625d7b1b9656a0b6007321b07cc5ff2bd4bde8026a13923b2
                                                        • Instruction Fuzzy Hash: D33119B2D081949EF3208625DC48BEB7F789B81714F0441FED58C6A181D6BD1FC9CBA6
                                                        Function 00407D7D Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 175memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-3128998556
                                                        • Opcode ID: f4cb284850435df7d6a525b9c50dc4bc494a24b93ea92949cf975ea34f702183
                                                        • Instruction ID: 8e562c9b59eda4adb628fded1e8c7304e295c253ae1a195149bc5e045ad3fbe5
                                                        • Opcode Fuzzy Hash: f4cb284850435df7d6a525b9c50dc4bc494a24b93ea92949cf975ea34f702183
                                                        • Instruction Fuzzy Hash: 226113B2D041649FF7208A18DC84BEBBB75EB95300F0481FAD44D26280D6796FC58EA6
                                                        Function 00407223 Relevance: 21.2, APIs: 1, Strings: 11, Instructions: 154memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-3128998556
                                                        • Opcode ID: 2fb8974570c538930fbb2fe0ec9fccc210d45cfac22f6a4ea82ff45f84926ff9
                                                        • Instruction ID: 0fb09365b936d7220c7a8b7eff397f4947f520b7c62547d7b2acfc36c57b4402
                                                        • Opcode Fuzzy Hash: 2fb8974570c538930fbb2fe0ec9fccc210d45cfac22f6a4ea82ff45f84926ff9
                                                        • Instruction Fuzzy Hash: A8513BB2D085649EF7208628DC48FEB7B79DB81310F0481FED94D66680D2BD1FC58BA6
                                                        Function 00407246 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 144memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-3128998556
                                                        • Opcode ID: 6f15a6a8c328817e396b9f19c538204e11a34a93c1ab88b543d0a5a448e29b66
                                                        • Instruction ID: a2adea4ae2fb260bad92a3eaac01964112ee2be72351989d21798dc8f3cc672a
                                                        • Opcode Fuzzy Hash: 6f15a6a8c328817e396b9f19c538204e11a34a93c1ab88b543d0a5a448e29b66
                                                        • Instruction Fuzzy Hash: 25514CB3D081649EF7208628DC48FEB7A78DB81310F0481FED54D66680D6BD1FC98BA6
                                                        Function 00407267 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 136memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-3128998556
                                                        • Opcode ID: 8f600a49dddd7d5da40a2b4eb67c6dd2d4a7961c77baf26ab6ad6f18cc688997
                                                        • Instruction ID: 4be1fa8afe1e2e9d2b18454e96a86ee9b223c8053411e7517106462fcad132dc
                                                        • Opcode Fuzzy Hash: 8f600a49dddd7d5da40a2b4eb67c6dd2d4a7961c77baf26ab6ad6f18cc688997
                                                        • Instruction Fuzzy Hash: DA412CB2D081649EF7208628DC48FEB7A79DB81310F0581FED54D66680D6BD1FC58BA6
                                                        Function 004071DE Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 134memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-3128998556
                                                        • Opcode ID: ef0931a7e133837df6e4e096026689313b2805aeb9d48d3c625dad01b1bd4930
                                                        • Instruction ID: 42c9bc6a1c81bb88537da86b453645e5973ee831312e86e67a7c779aa1391e56
                                                        • Opcode Fuzzy Hash: ef0931a7e133837df6e4e096026689313b2805aeb9d48d3c625dad01b1bd4930
                                                        • Instruction Fuzzy Hash: 39411BB2D081649EF7208628DC48FEB7A799B81310F0581FED54D66680D6BD1FC9CBA6
                                                        Function 00407607 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 133memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-3128998556
                                                        • Opcode ID: 26c519d873233a4d0d5d721433aaf733733eba2bbf483187baa96706ea7f22f2
                                                        • Instruction ID: bfb3df06d69a698ddd954c895b999c52a7ec474b3132516ae6cf7ad8d1331857
                                                        • Opcode Fuzzy Hash: 26c519d873233a4d0d5d721433aaf733733eba2bbf483187baa96706ea7f22f2
                                                        • Instruction Fuzzy Hash: FC412BB2D081649EF7208628DC48FEB7A799B81310F0581FED54D66680D6BD1FC9CBA6
                                                        Function 00408106 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 125memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-3128998556
                                                        • Opcode ID: 1105a2aec770d2f73dfbf45e20c5fbf166c91511fbab31b23fb606ac8059a0d4
                                                        • Instruction ID: 2daeb1c4bd9b642f3e6cb1ba4f0bc4c137517c311bf52e5a0a594632abcabdc1
                                                        • Opcode Fuzzy Hash: 1105a2aec770d2f73dfbf45e20c5fbf166c91511fbab31b23fb606ac8059a0d4
                                                        • Instruction Fuzzy Hash: 0A4128B2E085949EF7208628DC48FEB7A799BC1310F1581FED44D26680D6BD1FC98B76
                                                        Function 004080E9 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 119COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-3128998556
                                                        • Opcode ID: dfe31e9aac41a9fafc4ca6937478921a494d92c1f5aad763249ed46c695fd3b7
                                                        • Instruction ID: 17905b2415c54b4739bf4c9f0478ab1b535efd43b9daa63858a9bfc69e31a27a
                                                        • Opcode Fuzzy Hash: dfe31e9aac41a9fafc4ca6937478921a494d92c1f5aad763249ed46c695fd3b7
                                                        • Instruction Fuzzy Hash: 0841F8B2D085949EF7208628DC48BEB7E759BC1300F0581FED58D26684D6BD1FC98B66
                                                        Function 00408060 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 113memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-3128998556
                                                        • Opcode ID: 622c11c36488b7b0fc815c20e0612a526c330ea6de09df617a397ce538d0bf37
                                                        • Instruction ID: 4e0afbce737fe6ce1bb07a8d7fb6bf49e611d8c5befa9690126670a52c126d34
                                                        • Opcode Fuzzy Hash: 622c11c36488b7b0fc815c20e0612a526c330ea6de09df617a397ce538d0bf37
                                                        • Instruction Fuzzy Hash: B64127B2E081949EF7208628DC48BEB7A799BC1710F0581FED54C666C0D6BD1FC98B76
                                                        Function 00407D9B Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 105memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-3128998556
                                                        • Opcode ID: 5a14acfaf202ebdbbb0db28da6003c00b7906ce9419a2738b12e3b6885d50f58
                                                        • Instruction ID: 5fddd4ba94ee4c67957efaa40df84ee3e82fe8ee73bcd79790438bdf31565ee4
                                                        • Opcode Fuzzy Hash: 5a14acfaf202ebdbbb0db28da6003c00b7906ce9419a2738b12e3b6885d50f58
                                                        • Instruction Fuzzy Hash: 3B31FBB2D081A49EF7204624DC48BEB7B759B91700F0541FED58D6A680C6BD1FC5CB76
                                                        Function 00407699 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 105memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-3128998556
                                                        • Opcode ID: 290ed81cc1c68d8ca770d455b407cadce161482f1b51a547a4692aadfaca10e5
                                                        • Instruction ID: 97c870b19ccb9590e1d990af06ec14a7943028674483285963b25623027ca596
                                                        • Opcode Fuzzy Hash: 290ed81cc1c68d8ca770d455b407cadce161482f1b51a547a4692aadfaca10e5
                                                        • Instruction Fuzzy Hash: 9C312AB3D085A49AF3204228DC48BEB7E78DB91710F0541FED58D6A5C0C6BD1FC98BA6
                                                        Function 00407C71 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 99memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-3128998556
                                                        • Opcode ID: 122728289fe04c33a8794c9a7e817048808e759840ed7ac608b0cb0780a3f1a0
                                                        • Instruction ID: 38d49bc9a8b522b2bcb9d0137a8ce271faea0aa444cb85206b40a749cf14af44
                                                        • Opcode Fuzzy Hash: 122728289fe04c33a8794c9a7e817048808e759840ed7ac608b0cb0780a3f1a0
                                                        • Instruction Fuzzy Hash: D4312AB2E081949EF7208624DC48BEBBA759BD1710F0541FED58C2A280D2BD1FC98B76
                                                        Function 00407D39 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 98memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-3128998556
                                                        • Opcode ID: 317fea7614f1f1ca7d74209f3cfb4364012c0d11fc53d789aa1993dbaa204bdb
                                                        • Instruction ID: 7f84f9fc913b696c771c7ade096ee5f28fe6fd3effbab18470685b3eedfe3612
                                                        • Opcode Fuzzy Hash: 317fea7614f1f1ca7d74209f3cfb4364012c0d11fc53d789aa1993dbaa204bdb
                                                        • Instruction Fuzzy Hash: 8F3109B2D081A49EF7208624DC48BEBBA749B91700F0581FED58D66280D6BD1FC98B76
                                                        Function 00407D2E Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 97memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-3128998556
                                                        • Opcode ID: 8e5962d0908fa1ca1e159c7673a48d7f6a0393574c7fc05fbd2891db30ac9366
                                                        • Instruction ID: 519a5c175071b6e0af1c99dac4b2c6e82248d8f540767c1653a24508e441af13
                                                        • Opcode Fuzzy Hash: 8e5962d0908fa1ca1e159c7673a48d7f6a0393574c7fc05fbd2891db30ac9366
                                                        • Instruction Fuzzy Hash: 5A3108B2E081949EF7208624DC48BEBBA759B91700F0581FED58D26680D6BD1FC98B66
                                                        Function 004076B0 Relevance: 21.1, APIs: 1, Strings: 11, Instructions: 96memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID: E$P$c$e$i$o$r$s$s$t$x
                                                        • API String ID: 544645111-3128998556
                                                        • Opcode ID: b02eda67e56387f75ebeadb4c7bb072b65b254646fbb0f37290c840cd2736227
                                                        • Instruction ID: 85ded596be40b731aa2e9c4dce230f3e156980d70fac567f2737c7a5adeb5ac3
                                                        • Opcode Fuzzy Hash: b02eda67e56387f75ebeadb4c7bb072b65b254646fbb0f37290c840cd2736227
                                                        • Instruction Fuzzy Hash: 5F313AB2D081A49AF3208224DC48BEB7E789B81704F0541FED58D265C0C6BD1FC9CBB6
                                                        Function 00409B12 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 14COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ExitProcess.KERNEL32(00000000,00409AB5,?,00000000,004099CF,00000000,00000001,00000000,?,00409774,?,?,?,?,?,?), ref: 00409F62
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID: IMYW
                                                        • API String ID: 621844428-560788594
                                                        • Opcode ID: 91fca93e232f5a142b350f21dc48b4313640b9d638f59818050897fc735935bf
                                                        • Instruction ID: 6bf8df40d51dc651192b2a435b9a368a39e6b7a1fa9338d6f7c0c388d015096d
                                                        • Opcode Fuzzy Hash: 91fca93e232f5a142b350f21dc48b4313640b9d638f59818050897fc735935bf
                                                        • Instruction Fuzzy Hash: A5D05EB4E043149BEBE09B15CC897C9B279AF44710F1000F6D40DAB390DB741EC5CE02
                                                        Function 00409ABF Relevance: 1.6, APIs: 1, Instructions: 132COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ExitProcess.KERNEL32(00000000,00409AB5,?,00000000,004099CF,00000000,00000001,00000000,?,00409774,?,?,?,?,?,?), ref: 00409F62
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: 36dabab7bb31541c53e9836610f050aa1dbfcaf02a1b9cd0ef8be8aa717d8dc0
                                                        • Instruction ID: 1ae60a7881b1b364179879c39034128cca3e3707aef217e22771ddbbaab5dd66
                                                        • Opcode Fuzzy Hash: 36dabab7bb31541c53e9836610f050aa1dbfcaf02a1b9cd0ef8be8aa717d8dc0
                                                        • Instruction Fuzzy Hash: 8241F6B1D082189FF764CA14DC84FEA7779EB84314F1481BADA0E67381D6396EC6CE45
                                                        Function 00408BB6 Relevance: 1.6, APIs: 1, Instructions: 124COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: fbb70a3003a211bd150f5203780469152a0cbb90c4b97f5ade5965bf32b18fa8
                                                        • Instruction ID: b6587b4d390192cc639d8c130431220fee2a145121828f98f01bf03e862e582b
                                                        • Opcode Fuzzy Hash: fbb70a3003a211bd150f5203780469152a0cbb90c4b97f5ade5965bf32b18fa8
                                                        • Instruction Fuzzy Hash: A1411BB2D081149AE7244B15DD14BFB7A75EF94310F2442BFD94EB6280DB3D0AC6CA6B
                                                        Function 00408BCF Relevance: 1.6, APIs: 1, Instructions: 115COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: 69780fd68385e302b9ec6f04992e6b32d98e6a97ccbd11a2ad6a2f3ba9b7b84f
                                                        • Instruction ID: 86ed39f1da81214e07906a5b74c6f8dfc39c435cae42123975cbbd8f9f42f537
                                                        • Opcode Fuzzy Hash: 69780fd68385e302b9ec6f04992e6b32d98e6a97ccbd11a2ad6a2f3ba9b7b84f
                                                        • Instruction Fuzzy Hash: 6641E7B2E081149AE7244A15DD14BFB7674EF94310F2442BFD94EB6280DA3D0AC6CA2A
                                                        Function 00408C0A Relevance: 1.6, APIs: 1, Instructions: 102COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: 7f1574547a79bb3629e7b5367ee3f4916b41fdb7c28451f20be14210ca812daa
                                                        • Instruction ID: 3bf45a395f64f7ab46083c6cf39a0a1e9d50b3f37c44ab3472cef3ba874d94e0
                                                        • Opcode Fuzzy Hash: 7f1574547a79bb3629e7b5367ee3f4916b41fdb7c28451f20be14210ca812daa
                                                        • Instruction Fuzzy Hash: B631C5B5D08214DAE7244B14DD18BFA7674EF94711F2442BFD94EB6280DB3C0EC6CA6A
                                                        Function 00408C44 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: 584a1edb198d167cc20ae4dd76fc8d73ffede193b64a42c6c7ee18398ef4db5e
                                                        • Instruction ID: a67588264b6b127a2c37bf6929f020d59b39ce113c689189fbfdb2674ac02ebf
                                                        • Opcode Fuzzy Hash: 584a1edb198d167cc20ae4dd76fc8d73ffede193b64a42c6c7ee18398ef4db5e
                                                        • Instruction Fuzzy Hash: 1721B6A2D08114DAE7244614DD15BFB7A74EB94710F2442BFE98EB5680DB3C0AC6CA6A
                                                        Function 00408C4E Relevance: 1.6, APIs: 1, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: 984e048f9b4bc749589f173882c88b489c0194f7e2afa50cad667d2cb9b50fc8
                                                        • Instruction ID: b55f3bb8a6401cb1cfc4fdbce46baa0e97eb45f96bc0bd665a7ec50bcbd69e5f
                                                        • Opcode Fuzzy Hash: 984e048f9b4bc749589f173882c88b489c0194f7e2afa50cad667d2cb9b50fc8
                                                        • Instruction Fuzzy Hash: 04210AF2D08118DAE7244610DD15BFB7674EB94710F2442BFD94EB56C0DB3C0AC5CA66
                                                        Function 00409A09 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ExitProcess.KERNEL32(00000000,00409AB5,?,00000000,004099CF,00000000,00000001,00000000,?,00409774,?,?,?,?,?,?), ref: 00409F62
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: 0b68f3621186e5338753d76b6699cb31d92d50c610326ce5f59466cca59bca4c
                                                        • Instruction ID: 88a206ded1c47141e443ad77b7ad60c68d880401b48f3331570113885f7d138a
                                                        • Opcode Fuzzy Hash: 0b68f3621186e5338753d76b6699cb31d92d50c610326ce5f59466cca59bca4c
                                                        • Instruction Fuzzy Hash: F431D4B1D082589FE7649A10DC86BEA7779FB90314F1480BAD44D67381D73C5EC6CE06
                                                        Function 00408C58 Relevance: 1.6, APIs: 1, Instructions: 80COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ExitProcess.KERNEL32(00000000,00409AB5,?,00000000,004099CF,00000000,00000001,00000000,?,00409774,?,?,?,?,?,?), ref: 00409F62
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: 31b9f9e0eebacb8c70fa047d99e14dd648a3f1ee84bf00b42f47c4ac6e5415eb
                                                        • Instruction ID: 3d49726832c7280e2a091c1b0e810ad3845c7aed96bb8c53bd7103b000e01aaa
                                                        • Opcode Fuzzy Hash: 31b9f9e0eebacb8c70fa047d99e14dd648a3f1ee84bf00b42f47c4ac6e5415eb
                                                        • Instruction Fuzzy Hash: 1321D6B2D08214DAE7244714DD15BFB7A74EB94710F2442BFD98EB5680D73C0AC5CA5A
                                                        Function 004049B8 Relevance: 1.6, APIs: 1, Instructions: 78COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ExitProcess.KERNEL32(00000000,00409AB5,?,00000000,004099CF,00000000,00000001,00000000,?,00409774,?,?,?,?,?,?), ref: 00409F62
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: 44139e2fbcc7d9ab894b31d7567eaecf644682e6884cab746f158ce71aa6b0d9
                                                        • Instruction ID: 7ea146a36de07f273f6ca07693dd21ea6da5cac3d01a2d074102c1c3ec72cda0
                                                        • Opcode Fuzzy Hash: 44139e2fbcc7d9ab894b31d7567eaecf644682e6884cab746f158ce71aa6b0d9
                                                        • Instruction Fuzzy Hash: 8321C7B2D08218DAE7244614DD15BFB7674EB94710F2442BFD94EB56C0DB3C0AC5CA6A
                                                        Function 0040942B Relevance: 1.6, APIs: 1, Instructions: 58COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ExitProcess.KERNEL32(00000000,00409AB5,?,00000000,004099CF,00000000,00000001,00000000,?,00409774,?,?,?,?,?,?), ref: 00409F62
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: e18a2c87d0396a9e5e2f9986d52980b8ac61028297b8aa70c85555d4f71071d3
                                                        • Instruction ID: 7a957ef68bf1e376be7a6297077ec8a539399d79158da0c3780265b5abdef0e8
                                                        • Opcode Fuzzy Hash: e18a2c87d0396a9e5e2f9986d52980b8ac61028297b8aa70c85555d4f71071d3
                                                        • Instruction Fuzzy Hash: 981136F3D08A485FF3104A25ECC87B7362CEB80315F1441BAEA0D55184D63D6FC68926
                                                        Function 00408D29 Relevance: 1.6, APIs: 1, Instructions: 53COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ExitProcess.KERNEL32(00000000,00409AB5,?,00000000,004099CF,00000000,00000001,00000000,?,00409774,?,?,?,?,?,?), ref: 00409F62
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: 330996e16487096353cb8fbdee143b48fc8e3d2270c1563760c1a2cf4edc9488
                                                        • Instruction ID: 8d8f5c1dedca100cc06ab7826a0850dc57e1466a886daecfc2478a27a82efd28
                                                        • Opcode Fuzzy Hash: 330996e16487096353cb8fbdee143b48fc8e3d2270c1563760c1a2cf4edc9488
                                                        • Instruction Fuzzy Hash: D11173B2E14114D7E7244601DD04BAAB679ABD0710F2542BFD54E752C0DB7C1BC6CE56
                                                        Function 00408D7F Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ExitProcess.KERNEL32(00000000,00409AB5,?,00000000,004099CF,00000000,00000001,00000000,?,00409774,?,?,?,?,?,?), ref: 00409F62
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: 6297a29483af78698f97981f2e7ffe88e3d045efe46cfc4087db475aa399aa6a
                                                        • Instruction ID: 1d2d64995a3e2415d7c306ce227768868734c828d7bda945034ac7be7b1ae8db
                                                        • Opcode Fuzzy Hash: 6297a29483af78698f97981f2e7ffe88e3d045efe46cfc4087db475aa399aa6a
                                                        • Instruction Fuzzy Hash: 82F0E9E2E14604DAF3280600ED09BEB7668E7A0311F2441BFD50EB51C18F3C06C28957
                                                        Function 00408B1A Relevance: 1.5, APIs: 1, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ExitProcess.KERNEL32(00000000,00409AB5,?,00000000,004099CF,00000000,00000001,00000000,?,00409774,?,?,?,?,?,?), ref: 00409F62
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: cc3c225c7c25b056f98b6d5b8efc916e9ad08b9c046e81f6a3f433f273216572
                                                        • Instruction ID: e78a07f34fdf840f2e4740aea2fe1d74b4fa58d6776cc74e2c7ae0b39629d056
                                                        • Opcode Fuzzy Hash: cc3c225c7c25b056f98b6d5b8efc916e9ad08b9c046e81f6a3f433f273216572
                                                        • Instruction Fuzzy Hash: BDF0A0E2D18604EAF3240610FD19BAB7A68A390710F3502BFE50EB45C08F7D1ACA895B
                                                        Function 00408A96 Relevance: 1.5, APIs: 1, Instructions: 31COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: c0c683260ddb70593ddf58af5770579cb66285591312ac1d6424676197e17a70
                                                        • Instruction ID: 47f5bd1fc793850a6d735842eea294007cbb2aa9d5c0d9df1bf4e3560e85122c
                                                        • Opcode Fuzzy Hash: c0c683260ddb70593ddf58af5770579cb66285591312ac1d6424676197e17a70
                                                        • Instruction Fuzzy Hash: 3EF027E1D082189AE3202650DD08BEB3624A750310F2401BFD58EB55C1CF3C07CB8A57
                                                        Function 00408E30 Relevance: 1.5, APIs: 1, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ExitProcess.KERNEL32(00000000,00409AB5,?,00000000,004099CF,00000000,00000001,00000000,?,00409774,?,?,?,?,?,?), ref: 00409F62
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: 57cf0466dc40bc510696c697ce0608ad3498f3d2a4b6c39d908e247432385294
                                                        • Instruction ID: d291d3e8e618cbba0818f6201d8dae9c3298b63b9ceaa0caa2779ea024707fd7
                                                        • Opcode Fuzzy Hash: 57cf0466dc40bc510696c697ce0608ad3498f3d2a4b6c39d908e247432385294
                                                        • Instruction Fuzzy Hash: 76F09BE2D18104DAE7680610ED097FB7664E790715F2502BFD14EB45C18F7C0AC6DD5B
                                                        Function 00408AA7 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ExitProcess.KERNEL32(00000000,00409AB5,?,00000000,004099CF,00000000,00000001,00000000,?,00409774,?,?,?,?,?,?), ref: 00409F62
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: 400cc2c1774a31f6ffdaf0e40ae02189212da1439ade8cc6fc009e9bc51293bc
                                                        • Instruction ID: 9cf44b3a7a6440daf74e0a9f152f116735f548debf9a46d7ca133f8634dbb966
                                                        • Opcode Fuzzy Hash: 400cc2c1774a31f6ffdaf0e40ae02189212da1439ade8cc6fc009e9bc51293bc
                                                        • Instruction Fuzzy Hash: 56E0D8F2D18204DAE7240600ED09BEB75646390711F2901BFD10EB41C08F7C07C9C957
                                                        Function 00409AFF Relevance: 1.5, APIs: 1, Instructions: 18COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ExitProcess.KERNEL32(00000000,00409AB5,?,00000000,004099CF,00000000,00000001,00000000,?,00409774,?,?,?,?,?,?), ref: 00409F62
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: a16b1445041648922a2b0de5ae8e877e2115fa4629b71e59607cedfc40c871a1
                                                        • Instruction ID: 3318edc7c20adb19b6b9440230e45290299406bb97aca6b14eb75fcc1f765733
                                                        • Opcode Fuzzy Hash: a16b1445041648922a2b0de5ae8e877e2115fa4629b71e59607cedfc40c871a1
                                                        • Instruction Fuzzy Hash: 63E04F70A083149AE7D4DA00DC86BA97339AB40321F1000FA940E66291DB781EC1CA12
                                                        Function 00409B0C Relevance: 1.5, APIs: 1, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ExitProcess.KERNEL32(00000000,00409AB5,?,00000000,004099CF,00000000,00000001,00000000,?,00409774,?,?,?,?,?,?), ref: 00409F62
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: 44a0c129bd8e52ee5800b186e3eb156f073962ffeab5f2b2ff536fa4cb73e2b8
                                                        • Instruction ID: 8cd91650533c3a3d630111698a9145b8354ac3ab43b8400f8cdeab15ff1d21b0
                                                        • Opcode Fuzzy Hash: 44a0c129bd8e52ee5800b186e3eb156f073962ffeab5f2b2ff536fa4cb73e2b8
                                                        • Instruction Fuzzy Hash: BDD01270A087149BE7D48A01DC89BA9B639EB80721F1000EA904E67290DF741EC5CE12
                                                        Function 00408E71 Relevance: 1.5, APIs: 1, Instructions: 14COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ExitProcess.KERNEL32(00000000,00409AB5,?,00000000,004099CF,00000000,00000001,00000000,?,00409774,?,?,?,?,?,?), ref: 00409F62
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: b9d11b5658f20e91e43257ef8dd7a796733839c3d383a8f96fc68480ccf13ec6
                                                        • Instruction ID: 8c61b07d6f89a41fce8f2764983f21383976ea40733fe444317f600545423d39
                                                        • Opcode Fuzzy Hash: b9d11b5658f20e91e43257ef8dd7a796733839c3d383a8f96fc68480ccf13ec6
                                                        • Instruction Fuzzy Hash: 6ED022F180C248D7D3900E20EC187EEBA689784B01F2802AEE08AA00C0CB3C06C2C807
                                                        Function 00409F31 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ExitProcess.KERNEL32(00000000,00409AB5,?,00000000,004099CF,00000000,00000001,00000000,?,00409774,?,?,?,?,?,?), ref: 00409F62
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: b39d58134927a8ef3e2a28d5a6fcef1e70995b51fdeb501fd054196c0b8d3348
                                                        • Instruction ID: 5271427cf5ee79818672b73fa551f62c49df6e00c32aa69938a42cacd8d778ab
                                                        • Opcode Fuzzy Hash: b39d58134927a8ef3e2a28d5a6fcef1e70995b51fdeb501fd054196c0b8d3348
                                                        • Instruction Fuzzy Hash: 07D0C970D083288BDBE48B00C885798B739AB40710F2040EAD50D66350DB701EC5CF06
                                                        Function 00408E84 Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ExitProcess.KERNEL32(00000000,00409AB5,?,00000000,004099CF,00000000,00000001,00000000,?,00409774,?,?,?,?,?,?), ref: 00409F62
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ExitProcess
                                                        • String ID:
                                                        • API String ID: 621844428-0
                                                        • Opcode ID: 7ee400a6cb4f0320af2f21523c7955b442d92da3d18324ffa895e03dc8990373
                                                        • Instruction ID: 7ef7343e9cd4985965ecbbcbf2fdb790c19a64761a5e7f0a05d2483b71a644a0
                                                        • Opcode Fuzzy Hash: 7ee400a6cb4f0320af2f21523c7955b442d92da3d18324ffa895e03dc8990373
                                                        • Instruction Fuzzy Hash: C1C09B7155C35596D7D05B215C047D57BBCAB05705F2450D5D049A40C1CF7409C1DA15

                                                        Non-executed Functions

                                                        Function 00413910 Relevance: 36.9, APIs: 20, Strings: 1, Instructions: 166memorythreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ImpersonateSelf.ADVAPI32(00000002,?,00000000), ref: 00413967
                                                        • GetCurrentThread.KERNEL32 ref: 00413974
                                                        • OpenThreadToken.ADVAPI32(00000000,?,00000000), ref: 0041397B
                                                        • GetLastError.KERNEL32(?,00000000), ref: 00413985
                                                        • GetCurrentProcess.KERNEL32(00000008,?,?,00000000), ref: 0041399C
                                                        • OpenProcessToken.ADVAPI32(00000000,?,00000000), ref: 004139A3
                                                        • AllocateAndInitializeSid.ADVAPI32(00000000,00000002,00000020,00000220,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 004139C8
                                                        • LocalAlloc.KERNEL32(00000040,00000014,?,00000000), ref: 004139DA
                                                        • InitializeSecurityDescriptor.ADVAPI32(00000000,00000001,?,00000000), ref: 004139F0
                                                        • GetLengthSid.ADVAPI32(?,?,00000000), ref: 00413A02
                                                        • LocalAlloc.KERNEL32(00000040,-00000010,?,00000000), ref: 00413A13
                                                        • InitializeAcl.ADVAPI32(00000000,-00000010,00000002,?,00000000), ref: 00413A2A
                                                        • AddAccessAllowedAce.ADVAPI32(00000000,00000002,00000003,?,?,00000000), ref: 00413A48
                                                        • SetSecurityDescriptorDacl.ADVAPI32(00000000,00000001,00000000,00000000,?,00000000), ref: 00413A60
                                                        • SetSecurityDescriptorGroup.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00413A75
                                                        • SetSecurityDescriptorOwner.ADVAPI32(00000000,?,00000000,?,00000000), ref: 00413A82
                                                        • IsValidSecurityDescriptor.ADVAPI32(00000000,?,00000000), ref: 00413A89
                                                        • AccessCheck.ADVAPI32(00000000,?,00000001,?,?,00000014,?,?,?,00000000), ref: 00413AC8
                                                        • GetLastError.KERNEL32(?,00000000), ref: 00413AD2
                                                        Strings
                                                        • AccessCheck() failed with error %lu, xrefs: 00413AD9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: DescriptorSecurity$Initialize$AccessAllocCurrentErrorLastLocalOpenProcessThreadToken$AllocateAllowedCheckDaclGroupImpersonateLengthOwnerSelfValid
                                                        • String ID: AccessCheck() failed with error %lu
                                                        • API String ID: 1643233394-3122912231
                                                        • Opcode ID: 15af52b6dc6585a8aaa5b1198cb4af8417f1577e0f23ce853e5bded0e1c0e001
                                                        • Instruction ID: 6636ee4da2cd74bfd359609ec80115f8e5afcf80bc05880448599f8d891f14b3
                                                        • Opcode Fuzzy Hash: 15af52b6dc6585a8aaa5b1198cb4af8417f1577e0f23ce853e5bded0e1c0e001
                                                        • Instruction Fuzzy Hash: 4D515E75A00208ABEB10DFE5DC89FEFBBB8AF46741F044029F605A6280D7B949458B66
                                                        Function 00409F71 Relevance: 35.3, APIs: 13, Strings: 7, Instructions: 274fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 00409FA9
                                                        • GetFileAttributesA.KERNEL32(?), ref: 0040A018
                                                        • SetFileAttributesA.KERNEL32(?,00000000), ref: 0040A02A
                                                          • Part of subcall function 00414A00: FindFirstFileA.KERNEL32(?,?,?,00000010,00000000), ref: 00414A1D
                                                          • Part of subcall function 00414A00: FindClose.KERNEL32(00000000), ref: 00414A39
                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040A047
                                                        • FindClose.KERNEL32(00000000), ref: 0040A056
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: FileFind$AttributesCloseFirst$Next
                                                        • String ID: %s\%s$%s\*_inst.exe$Copy %s->%s$Exit runGameSpecificExe$Looking for %s$exec: %s with commandline '%s'$runGameSpecificExe
                                                        • API String ID: 4159923089-1506763675
                                                        • Opcode ID: 3d89df4c8ba5de72e0b1d014a3c5c3c2e34174682b960e6e38db822840ef8679
                                                        • Instruction ID: 34cd60ea916ae71857f91afa4569326679b9dd32d4836ca6244a818079b6b16f
                                                        • Opcode Fuzzy Hash: 3d89df4c8ba5de72e0b1d014a3c5c3c2e34174682b960e6e38db822840ef8679
                                                        • Instruction Fuzzy Hash: 5AA1C9B2108344ABD724DF60CC45FEB73ACEB84704F44492EB98957181DB79A749CB6B
                                                        Function 004151A0 Relevance: 33.5, APIs: 11, Strings: 8, Instructions: 282fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(?,?,?,?,?,00000000), ref: 004151FB
                                                        • FindClose.KERNEL32(00000000), ref: 00415213
                                                        • GetFileAttributesA.KERNEL32(?), ref: 0041521E
                                                        • SetFileAttributesA.KERNEL32(?,00000000), ref: 00415232
                                                        • SetLastError.KERNEL32(00000000), ref: 0041523A
                                                        • CopyFileA.KERNEL32(?,?,?), ref: 0041524E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: File$AttributesFind$CloseCopyErrorFirstLast
                                                        • String ID: "%s"$/s /regserver$MyCopyFile$dll$exe$exec: %s /s %s$exec: %s /s /regserver %s$ocx
                                                        • API String ID: 3483889725-3576774900
                                                        • Opcode ID: a9842cc2fa75996446c2c06bb365b31d97e4e3c87d576b8f50e4f66a2e0495f5
                                                        • Instruction ID: 60f35962d690970186fbe8e082cbe82d24c67d20d37591994032dbb9b5c60f80
                                                        • Opcode Fuzzy Hash: a9842cc2fa75996446c2c06bb365b31d97e4e3c87d576b8f50e4f66a2e0495f5
                                                        • Instruction Fuzzy Hash: C5A14871508740BBE320DB60CC45FEB77A8ABC9705F04465EFE8957282DB789984CB6E
                                                        Function 00413E20 Relevance: 30.0, APIs: 13, Strings: 4, Instructions: 242sleepprocessfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentDirectoryA.KERNEL32(00000400,?,004478FC,?,?,00000000,0040A2D1,?,?,?), ref: 00413E61
                                                        • SetCurrentDirectoryA.KERNEL32(?,?,00000000,0040A2D1,?,?,?), ref: 00413E88
                                                        • FindFirstFileA.KERNEL32(?,?,?,00000000,0040A2D1,?,?,?), ref: 00413EA4
                                                        • FindClose.KERNEL32(00000000), ref: 00413EB8
                                                        • SetLastError.KERNEL32(00000000,?,?,00000000,?,?,?,?,00000000,0040A2D1,?,?,?), ref: 00414023
                                                        • CreateProcessA.KERNEL32(?,?,00000000,00000000,00000000,00000030,00000000,00000000,0045E440,0045E484,?,?,00000000), ref: 0041405B
                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 0041407C
                                                        • Sleep.KERNEL32(00000001,?,?,00000000,?,?,?,?,00000000,0040A2D1,?,?,?), ref: 00414098
                                                        • SetCurrentDirectoryA.KERNEL32(?,?,?,00000000,?,?,?,?,00000000,0040A2D1,?,?,?), ref: 004140DD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectory$FindProcess$CloseCodeCreateErrorExitFileFirstLastSleep
                                                        • String ID: "%s"$CreateProcess$Error executing '%s'%s$Exec And Wait
                                                        • API String ID: 3676699910-1096974953
                                                        • Opcode ID: 97510d1b5f28fdf1af1eb816405d9b7a08525e790a7515140d6e5b583087ca42
                                                        • Instruction ID: 0d36562a55edf719c25e91f2d3ffa3eb5e978c8fbce3c5ea020dbcf3caa10d05
                                                        • Opcode Fuzzy Hash: 97510d1b5f28fdf1af1eb816405d9b7a08525e790a7515140d6e5b583087ca42
                                                        • Instruction Fuzzy Hash: 8081E271248341ABD320DF60DC45FEBB7A8EBC5B01F10491EFA8497280DBB99985CB5B
                                                        Function 00414A00 Relevance: 28.2, APIs: 7, Strings: 9, Instructions: 164sleepfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(?,?,?,00000010,00000000), ref: 00414A1D
                                                        • FindClose.KERNEL32(00000000), ref: 00414A39
                                                        • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?), ref: 00414B6C
                                                        • Sleep.KERNEL32(000003E8), ref: 00414C0C
                                                        • GetFileAttributesA.KERNEL32(?), ref: 00414C16
                                                        • SetFileAttributesA.KERNEL32(?,00000000), ref: 00414C2A
                                                        • DeleteFileA.KERNEL32(?), ref: 00414C31
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: File$AttributesFindSleep$CloseDeleteFirst
                                                        • String ID: "%s"$/s /UnregServer$/u /s$Remove$dll$exe$exec: %s /s /UnregServer %s$exec: %s /u /s %s$ocx
                                                        • API String ID: 207913334-4138445747
                                                        • Opcode ID: 152e2f66c8f5d76b08d0e1bf8dd724d1967669b5807a21a76f7444537a0a1245
                                                        • Instruction ID: 569dca1f961776a68051f51d760419570266c25ba139ecdaab2e0422a95345d3
                                                        • Opcode Fuzzy Hash: 152e2f66c8f5d76b08d0e1bf8dd724d1967669b5807a21a76f7444537a0a1245
                                                        • Instruction Fuzzy Hash: 345159B12843446BE224EB558C42FEB339CAFD5704F44491EFA88931C2EF7C954987AE
                                                        Function 00415E70 Relevance: 25.2, Strings: 20, Instructions: 220COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: Chinese (Simplified)$Chinese (Traditional)$Czech$Danish$Dutch$English UK$English US$Finnish$French$German$Greek$Hebrew$Hungarian$Italian$Japanese$Korean$PortBrzl$Russian$Spanish$Swedish
                                                        • API String ID: 0-733503574
                                                        • Opcode ID: 19592bc6a5c2498cad33296640bab84ca89f9eba67d5babf45a1c1a8358e98fb
                                                        • Instruction ID: 37a5b3b5c5b6eab396eacb203a264361d5579e56741c889a3fa2050163f780a9
                                                        • Opcode Fuzzy Hash: 19592bc6a5c2498cad33296640bab84ca89f9eba67d5babf45a1c1a8358e98fb
                                                        • Instruction Fuzzy Hash: 5981481B3125C08AD769877554602BB7FA2ABAB344B1DC0BFC4886B3A2FE654C47C30D
                                                        Function 0040A0A0 Relevance: 24.7, APIs: 8, Strings: 6, Instructions: 200filesleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(?,?,?,?,runGameSpecificExe,00000000), ref: 0040A0C5
                                                        • FindNextFileA.KERNEL32(00000000,?,?,?,runGameSpecificExe,00000000), ref: 0040A1B8
                                                        • FindClose.KERNEL32(00000000,?,?,runGameSpecificExe,00000000), ref: 0040A1C7
                                                        • FindFirstFileA.KERNEL32(?,?,?,runGameSpecificExe,00000000), ref: 0040A1F6
                                                        • Sleep.KERNEL32(00000064,?,?,?,00000000,00000001), ref: 0040A2E1
                                                        • DeleteFileA.KERNEL32(?), ref: 0040A2EF
                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040A2FB
                                                        • FindClose.KERNEL32(00000000), ref: 0040A30A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Find$File$CloseFirstNext$DeleteSleep
                                                        • String ID: %s\%s$%s\*_inst.exe$Copy %s->%s$Exit runGameSpecificExe$exec: %s with commandline '%s'$runGameSpecificExe
                                                        • API String ID: 2345050235-138872489
                                                        • Opcode ID: 5166ea926189c768b78b8f8daec67916aeac4eb2d9b017b2175523d574a6181b
                                                        • Instruction ID: 524fdab4451b35baff39c47ed591cbee8bae80749fe5ae7804159999e0495589
                                                        • Opcode Fuzzy Hash: 5166ea926189c768b78b8f8daec67916aeac4eb2d9b017b2175523d574a6181b
                                                        • Instruction Fuzzy Hash: 3E71DA711483406BE724DF64CC45FEB73A8EBC8704F44492EB589571C1DB79A6098B6B
                                                        Function 0040A0D8 Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 186filesleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindNextFileA.KERNEL32(00000000,?,?,?,runGameSpecificExe,00000000), ref: 0040A1B8
                                                        • FindClose.KERNEL32(00000000,?,?,runGameSpecificExe,00000000), ref: 0040A1C7
                                                        • FindFirstFileA.KERNEL32(?,?,?,runGameSpecificExe,00000000), ref: 0040A1F6
                                                        • Sleep.KERNEL32(00000064,?,?,?,00000000,00000001), ref: 0040A2E1
                                                        • DeleteFileA.KERNEL32(?), ref: 0040A2EF
                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040A2FB
                                                        • FindClose.KERNEL32(00000000), ref: 0040A30A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Find$File$CloseNext$DeleteFirstSleep
                                                        • String ID: %s\%s$%s\*_inst.exe$Copy %s->%s$Exit runGameSpecificExe$exec: %s with commandline '%s'$runGameSpecificExe
                                                        • API String ID: 2815766398-138872489
                                                        • Opcode ID: 7c52b0766cf4f1d2e9acce0af2e13bc068faa69ddf51115cf9abf41d7de8d4d8
                                                        • Instruction ID: 0c91d48e411e499a262bfaaa4cfdbc113dac507737b5f6b4774de972c7e6e324
                                                        • Opcode Fuzzy Hash: 7c52b0766cf4f1d2e9acce0af2e13bc068faa69ddf51115cf9abf41d7de8d4d8
                                                        • Instruction Fuzzy Hash: 5261F872108340ABE720DF60CC45FEB73A8EBC4704F44492EB98957181DB79A609CBAA
                                                        Function 00417E90 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 216fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00413B40: LoadLibraryA.KERNEL32 ref: 00413B5A
                                                          • Part of subcall function 00413B40: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00413B6A
                                                          • Part of subcall function 00413B40: GetSystemDirectoryA.KERNEL32(0045DAF8,00000104), ref: 00413B95
                                                          • Part of subcall function 00413B40: GetWindowsDirectoryA.KERNEL32(0045DD08,00000104), ref: 00413BA5
                                                          • Part of subcall function 00413B40: GetTempPathA.KERNEL32(00000104,0045DE10), ref: 00413BB5
                                                          • Part of subcall function 00414930: LoadLibraryA.KERNEL32(KERNEL32.DLL), ref: 004149A7
                                                          • Part of subcall function 00414930: GetProcAddress.KERNEL32(00000000,CopyFileExA), ref: 004149BC
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 00417F1B
                                                        • DeleteFileA.KERNEL32(?), ref: 00417F97
                                                        • FindNextFileA.KERNEL32(?,?), ref: 00417FA7
                                                        • FindClose.KERNEL32(?), ref: 00417FBA
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 00417FEA
                                                        • FindNextFileA.KERNEL32(?,?), ref: 0041807D
                                                        • FindClose.KERNEL32(?), ref: 00418090
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 004180B9
                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0041813E
                                                        • FindClose.KERNEL32(00000000), ref: 00418149
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Find$File$CloseFirstNext$AddressDirectoryLibraryLoadProc$DeletePathSystemTempWindows
                                                        • String ID: %s\%s$%s\*_uninst.exe
                                                        • API String ID: 1160109514-2858441004
                                                        • Opcode ID: 0dad8f3e199b7a55b047e1936190970ee717b126a133d58243bb3b112fb4e9d3
                                                        • Instruction ID: 9f6682103830e505521cd8484b6fe5b054a565d779c716c41cdb5f6c531036c0
                                                        • Opcode Fuzzy Hash: 0dad8f3e199b7a55b047e1936190970ee717b126a133d58243bb3b112fb4e9d3
                                                        • Instruction Fuzzy Hash: 5681A6B21083445BD324DF60CD45BEBB7ACEBC8714F444D1EF99583181EB789649CBAA
                                                        Function 00414380 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 194filesleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 00414422
                                                        • FindClose.KERNEL32(00000000), ref: 0041443A
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 00414494
                                                        • FindClose.KERNEL32(00000000), ref: 004144AC
                                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 004144BD
                                                        • RemoveDirectoryA.KERNEL32(?), ref: 004144D6
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 00414552
                                                        • FindClose.KERNEL32(00000000), ref: 0041456A
                                                        • RemoveDirectoryA.KERNEL32(0000005C), ref: 00414585
                                                        • Sleep.KERNEL32(000003E8), ref: 00414594
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Find$CloseDirectoryFileFirst$Remove$CreateSleep
                                                        • String ID: \
                                                        • API String ID: 593529018-2967466578
                                                        • Opcode ID: cd2a44f3d599598c1fafc9b4c5718adc1c77347e8a239c6df6d9f0cf34f94548
                                                        • Instruction ID: 0fb53b54470e76bddbd086c82c8af96ee8b09f8716e29362b9a934bf63ba6167
                                                        • Opcode Fuzzy Hash: cd2a44f3d599598c1fafc9b4c5718adc1c77347e8a239c6df6d9f0cf34f94548
                                                        • Instruction Fuzzy Hash: 686128352083859FC321CF28D8447EBBBD6ABD6354F084A5DE8D483351DA39D94DCB5A
                                                        Function 00414C50 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 213fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 00414CC8
                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 00414DDE
                                                        • FindClose.KERNEL32(00000000), ref: 00414DED
                                                        • FindFirstFileA.KERNEL32(?,?,?,?), ref: 00414E00
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Find$File$First$CloseNext
                                                        • String ID: *.*$\$\*.*
                                                        • API String ID: 2001080981-2301768657
                                                        • Opcode ID: 6fd555c80d88ff68a725cc0c8a0bfababf08fce1e919103a46c7dabedfcc3ed1
                                                        • Instruction ID: a8a72605bd69f8ac0c64504b566f5f70f8f2b3987ac3faeae44afcbdd81da1c4
                                                        • Opcode Fuzzy Hash: 6fd555c80d88ff68a725cc0c8a0bfababf08fce1e919103a46c7dabedfcc3ed1
                                                        • Instruction Fuzzy Hash: 707139711087854BD721CB24A8187FBB7D9EFC2305F14492AEDC597341EB38988A87AA
                                                        Function 00414C5E Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 188fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 00414CC8
                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 00414DDE
                                                        • FindClose.KERNEL32(00000000), ref: 00414DED
                                                        • FindFirstFileA.KERNEL32(?,?,?,?), ref: 00414E00
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Find$File$First$CloseNext
                                                        • String ID: *.*$\$\*.*
                                                        • API String ID: 2001080981-2301768657
                                                        • Opcode ID: 83a6a2b75fe7ddae7e29f215196850a4e8ebe6461e0ee2428b67daca4b15ab97
                                                        • Instruction ID: b82011f7364226d73ca0ef2ff54cbf09d9b1c66aee7853f02d9bb4e8a0548972
                                                        • Opcode Fuzzy Hash: 83a6a2b75fe7ddae7e29f215196850a4e8ebe6461e0ee2428b67daca4b15ab97
                                                        • Instruction Fuzzy Hash: 636139711087854BD721CB24A8187FBB7D9FFC2305F14492AED8597341EB38998AC7AA
                                                        Function 004135C0 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 143COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Version
                                                        • String ID: Microsoft Win32s$Unknown$Windows 2000$Windows 95$Windows 98$Windows ME$Windows NT$Windows XP
                                                        • API String ID: 1889659487-1287414207
                                                        • Opcode ID: 454356975ecda9a0999586d875334d146cb9ecda42628de8b5ed3d6ee45c621a
                                                        • Instruction ID: 975d6d164ef17e93e1c34ab1fc7ce7197d2ce6e84d94eff38267c9a8d95a5eee
                                                        • Opcode Fuzzy Hash: 454356975ecda9a0999586d875334d146cb9ecda42628de8b5ed3d6ee45c621a
                                                        • Instruction Fuzzy Hash: B3510EFC9063428BC369CF18FC509997BE5EB9A316B05467ED86883372D7309484CB5E
                                                        Function 0041383D Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 63windowshutdownCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 00413853
                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 0041385A
                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00413874
                                                        • AdjustTokenPrivileges.ADVAPI32 ref: 004138B4
                                                        • ExitWindowsEx.USER32(00000002,00000000), ref: 004138BE
                                                        • GetLastError.KERNEL32(00000400,00000000,00000000,00000000), ref: 004138D4
                                                        • FormatMessageA.KERNEL32(00001300,00000000,00000000), ref: 004138E2
                                                        • LocalFree.KERNEL32(?,?,SHUTDOWN FAILED,00000000), ref: 004138FF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProcessToken$AdjustCurrentErrorExitFormatFreeLastLocalLookupMessageOpenPrivilegePrivilegesValueWindows
                                                        • String ID: SHUTDOWN FAILED$SeShutdownPrivilege
                                                        • API String ID: 2448987565-1691336667
                                                        • Opcode ID: ed4759c74439bb4ed74776834b508063bb345b8204b51e0ed5b5694a901b0ae6
                                                        • Instruction ID: 92ba003babb52eed7c6abf77429b2c820c46b8522f45f5159519c5dcda00bff1
                                                        • Opcode Fuzzy Hash: ed4759c74439bb4ed74776834b508063bb345b8204b51e0ed5b5694a901b0ae6
                                                        • Instruction Fuzzy Hash: BC1151B8248300BFE314DF90DC4AF6B7BA8AB49B02F11451DFA45D61D1DBB4A544CB2B
                                                        Function 0040A580 Relevance: 17.6, APIs: 8, Strings: 2, Instructions: 62windowshutdownCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 00413853
                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 0041385A
                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00413874
                                                        • AdjustTokenPrivileges.ADVAPI32 ref: 004138B4
                                                        • ExitWindowsEx.USER32(00000002,00000000), ref: 004138BE
                                                        • GetLastError.KERNEL32(00000400,00000000,00000000,00000000), ref: 004138D4
                                                        • FormatMessageA.KERNEL32(00001300,00000000,00000000), ref: 004138E2
                                                        • LocalFree.KERNEL32(?,?,SHUTDOWN FAILED,00000000), ref: 004138FF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProcessToken$AdjustCurrentErrorExitFormatFreeLastLocalLookupMessageOpenPrivilegePrivilegesValueWindows
                                                        • String ID: SHUTDOWN FAILED$SeShutdownPrivilege
                                                        • API String ID: 2448987565-1691336667
                                                        • Opcode ID: c44fb581fce770473752d51b9e14c0b44ca5ccb6b5d20e16e1367599c61591d7
                                                        • Instruction ID: cd1e3ef421f25ae5e72b2391aaacb05b7e1abe7403673aae6f94df788c72ae7c
                                                        • Opcode Fuzzy Hash: c44fb581fce770473752d51b9e14c0b44ca5ccb6b5d20e16e1367599c61591d7
                                                        • Instruction Fuzzy Hash: A0114FB4248300BFF314DF90DC4AF6BBBA8AB4AB02F11451DFA45962D1DBB495448B2B
                                                        Function 004087BD Relevance: 15.3, Strings: 12, Instructions: 258COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                                        • API String ID: 0-4069139063
                                                        • Opcode ID: 5f552ea52f8885cc5946959680e49289054eacf1de81f572d0af4b8a7091f03e
                                                        • Instruction ID: 2a65b7569451b9379e622ccc0843fe5d8cc2dd22f94eb69ef077a5e482da424c
                                                        • Opcode Fuzzy Hash: 5f552ea52f8885cc5946959680e49289054eacf1de81f572d0af4b8a7091f03e
                                                        • Instruction Fuzzy Hash: E89137A2D186A48AE7208B24DC457EB7B79EF91300F1441FED54D67281EA7E0EC1CB67
                                                        Function 00408638 Relevance: 15.2, Strings: 12, Instructions: 228COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: L$L$W$a$a$b$d$i$o$r$r$y
                                                        • API String ID: 0-4069139063
                                                        • Opcode ID: 313b81d9252d0ce6893a39ac5e7250f1a7768376997726fa953e0986394fb6ec
                                                        • Instruction ID: 2065654d21eb0c2d9956f86db74cebc63257090a44d9a06a19bec56b39158c8f
                                                        • Opcode Fuzzy Hash: 313b81d9252d0ce6893a39ac5e7250f1a7768376997726fa953e0986394fb6ec
                                                        • Instruction Fuzzy Hash: E7810561C086688AEB259B24DC447FBBB75EF51300F1441FED58DA7281EA7E0EC1CB66
                                                        Function 00415590 Relevance: 14.4, APIs: 7, Strings: 1, Instructions: 446fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00414F30: FindFirstFileA.KERNEL32(?,?,?,?), ref: 00414F47
                                                          • Part of subcall function 00414F30: FindClose.KERNEL32(00000000), ref: 00414F81
                                                        • FindFirstFileA.KERNEL32(?,00000010,?,00000000,?,?,00000000,00000000,?,?,?,?), ref: 00415714
                                                          • Part of subcall function 00426C69: DeleteFileA.KERNEL32(?,004155C9,?,?,?,00000000,00000000,?,?,?,?), ref: 00426C6D
                                                          • Part of subcall function 00426C69: GetLastError.KERNEL32 ref: 00426C77
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: FileFind$First$CloseDeleteErrorLast
                                                        • String ID: *.*
                                                        • API String ID: 3118232422-438819550
                                                        • Opcode ID: 72bc6b88f7b33cbfedc53b91c7b1d7d54276f92ab0933f36c0389c94bae50d10
                                                        • Instruction ID: d50b5ba08bd02bfc4a9db7413c80bf415121bbd2ff89fe9cd1d600cc42db10ae
                                                        • Opcode Fuzzy Hash: 72bc6b88f7b33cbfedc53b91c7b1d7d54276f92ab0933f36c0389c94bae50d10
                                                        • Instruction Fuzzy Hash: 3BF14D3120CB86CBC721CB2888647FBB7D5AFD6344F544A6DE8CA87341EB359849C796
                                                        Function 004156B5 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 335fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(?,00000010,?,00000000,?,?,00000000,00000000,?,?,?,?), ref: 00415714
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: FileFindFirst
                                                        • String ID: *.*
                                                        • API String ID: 1974802433-438819550
                                                        • Opcode ID: 410d2f4184425401732a26dd78b35b4aec639599474a768d48983462fbe52a52
                                                        • Instruction ID: 1877e94ef0ce8ff5fbf0691ca38f6eac6a25572973ee1466535c20e71dfeb6f4
                                                        • Opcode Fuzzy Hash: 410d2f4184425401732a26dd78b35b4aec639599474a768d48983462fbe52a52
                                                        • Instruction Fuzzy Hash: 34C10931208B86CBC721CB2484647FBB7E5BFD6345F58496EE8C683301EB35984AC796
                                                        Function 004158B9 Relevance: 14.3, APIs: 7, Strings: 1, Instructions: 302fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateDirectoryA.KERNEL32(?,00000000), ref: 0041584E
                                                        • CreateDirectoryA.KERNEL32(?,004047B1), ref: 004158BA
                                                        • FindNextFileA.KERNEL32(?,?,?,004047B1), ref: 004158C6
                                                        • FindClose.KERNEL32(?,?,00000010,?,?,?,?,?,?,004047B1), ref: 004158D5
                                                        • FindFirstFileA.KERNEL32(?,00000010,?,?,00000010,?,?,?,?,?,?,004047B1), ref: 0041592D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Find$CreateDirectoryFile$CloseFirstNext
                                                        • String ID: *.*
                                                        • API String ID: 1728542896-438819550
                                                        • Opcode ID: 9eff909c66cb903bf078441320e9b5e5028d2ba84564a0d774f2873b30a619e0
                                                        • Instruction ID: ee7c5c2669a24e9d90aa8648b81e9d9678ad7f089a45b018233204a1bf1318a3
                                                        • Opcode Fuzzy Hash: 9eff909c66cb903bf078441320e9b5e5028d2ba84564a0d774f2873b30a619e0
                                                        • Instruction Fuzzy Hash: E3B11A31208B86CBD721CB2484647FBB7E5BFD6345F58492DE8C687301EB35984AC796
                                                        Function 004145D0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 243fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(?,?,?,?,?,?,?), ref: 00414684
                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 004146D5
                                                        • FindClose.KERNEL32(00000000), ref: 0041472B
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 0041478D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Find$File$First$CloseNext
                                                        • String ID: *.*
                                                        • API String ID: 2001080981-438819550
                                                        • Opcode ID: 47ab2d00a686aef36f81674ad12c48d0b099d6d9b14137ad4c870b616a8b0977
                                                        • Instruction ID: d464e212dd68eb2a0debe0c153d34ad098e3c75a0d726ec831b8764db62cd133
                                                        • Opcode Fuzzy Hash: 47ab2d00a686aef36f81674ad12c48d0b099d6d9b14137ad4c870b616a8b0977
                                                        • Instruction Fuzzy Hash: 7C8125351087C68BC725DF249824BEBB7D5EFD3345F144A2AE8C587340EB39988AC795
                                                        Function 00414626 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 185fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(?,?,?,?,?,?,?), ref: 00414684
                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 004146D5
                                                        • FindClose.KERNEL32(00000000), ref: 0041472B
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 0041478D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Find$File$First$CloseNext
                                                        • String ID: *.*
                                                        • API String ID: 2001080981-438819550
                                                        • Opcode ID: f8baf2d164070367750e842b21ae3ae679f06fa12553020456407e39d5a58f90
                                                        • Instruction ID: 72dfbb3d70468e9ec892d8d425d37a8d7061e44efa945190d4a59d62a0781805
                                                        • Opcode Fuzzy Hash: f8baf2d164070367750e842b21ae3ae679f06fa12553020456407e39d5a58f90
                                                        • Instruction Fuzzy Hash: 465134351087C58BC725DF2498247EBB7D5FBD2305F144A2EE8C587341EB39988AC796
                                                        Function 00411010 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000400,?,00000000,00000000,80000002,?), ref: 00411158
                                                        • FormatMessageA.KERNEL32(00001300,00000000,00000000), ref: 00411166
                                                        • LocalFree.KERNEL32(?,00000000,?,setSwapSize,00000000), ref: 00411184
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ErrorFormatFreeLastLocalMessage
                                                        • String ID: %I64d$SOFTWARE\$SwapSize$setSwapSize
                                                        • API String ID: 1365068426-648712029
                                                        • Opcode ID: d1b31b4500337b74060d4891dc460c9cbf7a795cccf7c9c2f8e667b8103f37ca
                                                        • Instruction ID: 68c570f812988241753bd2a04a9715a3b5369f07d8492d5d9d524d181d3e445a
                                                        • Opcode Fuzzy Hash: d1b31b4500337b74060d4891dc460c9cbf7a795cccf7c9c2f8e667b8103f37ca
                                                        • Instruction Fuzzy Hash: 96412571208341ABD314CF28C811BBBB7E5FBC9704F108A1EFA9597290DB75A846C79A
                                                        Function 00414D36 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 128fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 00414DDE
                                                        • FindClose.KERNEL32(00000000), ref: 00414DED
                                                        • FindFirstFileA.KERNEL32(?,?,?,?), ref: 00414E00
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Find$File$CloseFirstNext
                                                        • String ID: \*.*
                                                        • API String ID: 3541575487-1173974218
                                                        • Opcode ID: 9f3db2f183c91a9e6a5fe53de5235e66e5e9c71d90b45731c182115bef5c82ec
                                                        • Instruction ID: 73ed92b0838a6fd84eecc73f45936914938e06500c24726ad6d6a21ef8ce5d97
                                                        • Opcode Fuzzy Hash: 9f3db2f183c91a9e6a5fe53de5235e66e5e9c71d90b45731c182115bef5c82ec
                                                        • Instruction Fuzzy Hash: 14414C751087854BC721CB24A8147FBBBD5FBD2306F144929EDC587301EB39988AC7AA
                                                        Function 0040F650 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 77libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,GetDiskFreeSpaceExA), ref: 0040F690
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0040F697
                                                        • SetLastError.KERNEL32(00000000), ref: 0040F6AB
                                                        • SetLastError.KERNEL32(00000000), ref: 0040F6CF
                                                        • GetDiskFreeSpaceA.KERNEL32(?,?,?,?,?), ref: 0040F6EA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$AddressDiskFreeHandleModuleProcSpace
                                                        • String ID: GetDiskFreeSpaceExA$kernel32.dll
                                                        • API String ID: 3160920872-3712701948
                                                        • Opcode ID: 2d0cf4cc19a522339e078fa3eefbf2c879b643f54b3f68dd230ea8c5cc83a152
                                                        • Instruction ID: 7ad7b93e94fca053afe9f72b981c6a2b3715ccf3ef72a9c3208e8f43e9ae2302
                                                        • Opcode Fuzzy Hash: 2d0cf4cc19a522339e078fa3eefbf2c879b643f54b3f68dd230ea8c5cc83a152
                                                        • Instruction Fuzzy Hash: 13214336208302AFC311DF65D804F9B77E4BB96304F05897EF581A2150EA74D508CBA7
                                                        Function 004148D0 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 37libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000003,dll,?,?,?,00415470,?), ref: 004148DE
                                                        • LoadLibraryA.KERNEL32(?), ref: 004148E7
                                                        • GetProcAddress.KERNEL32(00000000,DllRegisterServer), ref: 00414902
                                                        • FreeLibrary.KERNEL32(00000000), ref: 0041490F
                                                        • SetErrorMode.KERNEL32(00000000), ref: 00414916
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ErrorLibraryMode$AddressFreeLoadProc
                                                        • String ID: DllRegisterServer$dll
                                                        • API String ID: 2523496102-3743520154
                                                        • Opcode ID: ef9ba2a5713ceb03e6ce70ee764b4726849faacc317d9aed7e31cc120d4455a1
                                                        • Instruction ID: 5463a6723183e0fd2573a7326bb506f65ba7a9fbe54e5d5f4bd9aa869cd4d228
                                                        • Opcode Fuzzy Hash: ef9ba2a5713ceb03e6ce70ee764b4726849faacc317d9aed7e31cc120d4455a1
                                                        • Instruction Fuzzy Hash: 7BE06C773812242B85116BE97C099CBF79CDFD77727024033FA00D3111CA65984596B9
                                                        Function 00415858 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 204fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindNextFileA.KERNEL32(?,?,?,004047B1), ref: 004158C6
                                                        • FindClose.KERNEL32(?,?,00000010,?,?,?,?,?,?,004047B1), ref: 004158D5
                                                        • FindFirstFileA.KERNEL32(?,00000010,?,?,00000010,?,?,?,?,?,?,004047B1), ref: 0041592D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Find$File$CloseFirstNext
                                                        • String ID: *.*
                                                        • API String ID: 3541575487-438819550
                                                        • Opcode ID: 4ff3cb581a51a3a024f0fcea3aa24c0e621652ed30df674407a10555b600ff0a
                                                        • Instruction ID: 82c4c8625ec48b706e964f5defe62e3f166b5be27307af7ce1f69a47df756571
                                                        • Opcode Fuzzy Hash: 4ff3cb581a51a3a024f0fcea3aa24c0e621652ed30df674407a10555b600ff0a
                                                        • Instruction Fuzzy Hash: 9971B771208B86CBC725CB249450BFBB7E9BFC6345F544A2EE8CA87201DB359846C797
                                                        Function 00414697 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 151fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 004146D5
                                                        • FindClose.KERNEL32(00000000), ref: 0041472B
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 0041478D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Find$File$CloseFirstNext
                                                        • String ID: *.*
                                                        • API String ID: 3541575487-438819550
                                                        • Opcode ID: 54ec6554f0611da655e9e997310d51225dfdf018d22df20dba37b3329ee1681d
                                                        • Instruction ID: 664cd25a3782574f27417e97decbe08ee3e65bcafea3b4704871a912b5d67fad
                                                        • Opcode Fuzzy Hash: 54ec6554f0611da655e9e997310d51225dfdf018d22df20dba37b3329ee1681d
                                                        • Instruction Fuzzy Hash: 9D5114355087C58BD721DF2498247EBB7E5FFD2342F18492AE8C587340EB38988AC795
                                                        Function 0040AC10 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 80fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 0040AC64
                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040ACB5
                                                        • FindClose.KERNEL32(00000000), ref: 0040AD05
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Find$File$CloseFirstNext
                                                        • String ID: %s\%s$%s\Arcade*.exe$%s\GameSpy
                                                        • API String ID: 3541575487-1719408586
                                                        • Opcode ID: dbe7b42e3d3ec4345a4abcb7a78b595a76cb8f80a063b7ae8161053680dce15d
                                                        • Instruction ID: ba2843077a888f8c0d9f31af973d8caf28e7bd1786c0ac93db22295fa0225a35
                                                        • Opcode Fuzzy Hash: dbe7b42e3d3ec4345a4abcb7a78b595a76cb8f80a063b7ae8161053680dce15d
                                                        • Instruction Fuzzy Hash: 0B21E5721083006BE320EB90DC45FEB739DEBC4301F44892FBA55561C1EBBC620986AB
                                                        Function 00414290 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 61fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 004142A8
                                                        • FindClose.KERNEL32(00000000,00000000,?,Found! (FileExists),00000000), ref: 004142D9
                                                        • FindClose.KERNEL32(00000000), ref: 00414301
                                                        Strings
                                                        • FindFirstFile returned INVALID_HANDLE_VALUE, xrefs: 00414323
                                                        • Found! (FileExists), xrefs: 004142CB
                                                        • File is a directory (FileExists), xrefs: 004142F3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Find$Close$FileFirst
                                                        • String ID: File is a directory (FileExists)$FindFirstFile returned INVALID_HANDLE_VALUE$Found! (FileExists)
                                                        • API String ID: 3046750681-696252916
                                                        • Opcode ID: 9358b9d398efbeaedbf88955095f5e19847b83186bca4ece126a06245336cc21
                                                        • Instruction ID: f179452c76eb578ae544a1bee184078c8abbbeec53593ee830497973ded0bfe5
                                                        • Opcode Fuzzy Hash: 9358b9d398efbeaedbf88955095f5e19847b83186bca4ece126a06245336cc21
                                                        • Instruction Fuzzy Hash: 9C014E363812102AD5203B15AC16FEB67549BD7735F14002BFDA8B72D1C17E204ED67D
                                                        Function 004347CC Relevance: 9.1, APIs: 6, Instructions: 102COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocaleInfoW.KERNEL32(00000000,00000001,00000000,00000000,0044EBE8,00000018,004332DB,?,?,?,00000080,00000000,?,?,00000001), ref: 004347E9
                                                        • GetLastError.KERNEL32(?,?,00000001), ref: 004347FB
                                                        • GetLocaleInfoW.KERNEL32(00000001,?,00000000,00000000,0044EBE8,00000018,004332DB,?,?,?,00000080,00000000,?,?,00000001), ref: 00434846
                                                        • GetLocaleInfoW.KERNEL32(00000001,?,?,00000000,?,?,00000001), ref: 004348B5
                                                        • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,?,?,00000000,00000000,?,00000000,?,?,00000001), ref: 004348D7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: InfoLocale$ByteCharErrorLastMultiWide
                                                        • String ID:
                                                        • API String ID: 97497842-0
                                                        • Opcode ID: cd5a1e798129d4cdafcd1ad13e6f13eb3165ee11d827a2cd0e344d9fbaae042d
                                                        • Instruction ID: fe7e92c7b65506b1fe74559231b6889423d20066c4b8d4a315defae7c575d48c
                                                        • Opcode Fuzzy Hash: cd5a1e798129d4cdafcd1ad13e6f13eb3165ee11d827a2cd0e344d9fbaae042d
                                                        • Instruction Fuzzy Hash: C031E179801168EBCF21AF51EC459EF3F74FF8A760F10452BF41092250C738A951DBA9
                                                        Function 0043469C Relevance: 9.1, APIs: 6, Instructions: 97COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocaleInfoW.KERNEL32(00000000,00000001,00000000,00000000,0044EBD8,00000018,0043338F,?,?,00480E5C,00000004,00000000,?,?,00000001), ref: 004346B9
                                                        • GetLastError.KERNEL32(?,?,00000001), ref: 004346CB
                                                        • GetLocaleInfoW.KERNEL32(00000001,?,?,?,0044EBD8,00000018,0043338F,?,?,00480E5C,00000004,00000000,?,?,00000001), ref: 004346F5
                                                        • GetLocaleInfoA.KERNEL32(00000001,?,00000000,00000000,0044EBD8,00000018,0043338F,?,?,00480E5C,00000004,00000000,?,?,00000001), ref: 00434724
                                                        • GetLocaleInfoA.KERNEL32(00000001,?,?,?,?,?,00000001), ref: 0043478B
                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,000000FF,?,?,?,?,?,?,00000001), ref: 004347AB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: InfoLocale$ByteCharErrorLastMultiWide
                                                        • String ID:
                                                        • API String ID: 97497842-0
                                                        • Opcode ID: 16211fd0ea0a0aecfb1881928e9c410306c88fdd26e7c817d09b8c84a5c47cdb
                                                        • Instruction ID: a17c65708b22d39c076f244c3167ec761669742c1f2b91babe67d3fd0146cb11
                                                        • Opcode Fuzzy Hash: 16211fd0ea0a0aecfb1881928e9c410306c88fdd26e7c817d09b8c84a5c47cdb
                                                        • Instruction Fuzzy Hash: 5E31AF74900119AFCF229F91EC458EF7AB1FBCA750F20562AF811A2260D3399D51DB99
                                                        Function 00430717 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 134COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _TranslateName.LIBCMT ref: 00430772
                                                        • _TranslateName.LIBCMT ref: 004307BB
                                                        • IsValidCodePage.KERNEL32(00000000,00000082,00000000,004562C0,0042635F,?,004809CC,?,?,00000000,?), ref: 0043081F
                                                        • IsValidLocale.KERNEL32(00000001), ref: 00430835
                                                          • Part of subcall function 00430605: EnumSystemLocalesA.KERNEL32(0043021B,00000001,00000000,004562C0,0042635F,?,004809CC,?,?,00000000,?), ref: 00430625
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: NameTranslateValid$CodeEnumLocaleLocalesPageSystem
                                                        • String ID: Norwegian-Nynorsk
                                                        • API String ID: 25477102-461349085
                                                        • Opcode ID: 1d989896bc01b99306157691cb7343851a378502ff2dffd7fc8ab0248d4c7af6
                                                        • Instruction ID: 2f20a2206e1c076148d7ff7e681dfdc67b3553f714d7ef80d5f25f58bdb4048b
                                                        • Opcode Fuzzy Hash: 1d989896bc01b99306157691cb7343851a378502ff2dffd7fc8ab0248d4c7af6
                                                        • Instruction Fuzzy Hash: 7B4119716112409BD7B0AF619CB1A2F37E0AF49300F156A3FE541963A1E72CB84DCB6E
                                                        Function 0042407C Relevance: 7.6, APIs: 5, Instructions: 92memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00424096
                                                        • GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 004240A7
                                                        • VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 004240ED
                                                        • VirtualAlloc.KERNEL32(?,?,00001000,00000004,?,?,0000001C), ref: 0042412B
                                                        • VirtualProtect.KERNEL32(?,?,?,?,?,?,0000001C), ref: 00424151
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Virtual$Query$AllocInfoProtectSystem
                                                        • String ID:
                                                        • API String ID: 4136887677-0
                                                        • Opcode ID: f92df4dc610bf4f209ae5d1d387623058e6c3484833d4ddbf4b0e73c3023e66a
                                                        • Instruction ID: 3ae70e2e835963f036367eda34e548a546d7b1799bd96947dc5649064c90c0b6
                                                        • Opcode Fuzzy Hash: f92df4dc610bf4f209ae5d1d387623058e6c3484833d4ddbf4b0e73c3023e66a
                                                        • Instruction Fuzzy Hash: 7531D476E00229ABDF10CBA4ED499EDBBB8EB45354F540066E901E3241D7348E91CB98
                                                        Function 0042B2AC Relevance: 7.5, APIs: 5, Instructions: 32timethreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemTimeAsFileTime.KERNEL32(?), ref: 0042B2C7
                                                        • GetCurrentProcessId.KERNEL32 ref: 0042B2D3
                                                        • GetCurrentThreadId.KERNEL32 ref: 0042B2DB
                                                        • GetTickCount.KERNEL32 ref: 0042B2E3
                                                        • QueryPerformanceCounter.KERNEL32(?), ref: 0042B2EF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: CurrentTime$CountCounterFilePerformanceProcessQuerySystemThreadTick
                                                        • String ID:
                                                        • API String ID: 1445889803-0
                                                        • Opcode ID: 624e0785466e7938e43d15d0758950ebdaea816835ec01d6f61c555c6e2ae7b9
                                                        • Instruction ID: 32fabd2bde9cb4d14f74efbfe84cc1875d2bfc2f5d6faedfeadbc5f05a32322d
                                                        • Opcode Fuzzy Hash: 624e0785466e7938e43d15d0758950ebdaea816835ec01d6f61c555c6e2ae7b9
                                                        • Instruction Fuzzy Hash: B3F0FF75D002249BCB10EBF4ED0C49EB7F8FF0A345B830961E811E7211DB34A9008A89
                                                        Function 0042D862 Relevance: 6.2, APIs: 4, Instructions: 212timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __lock.LIBCMT ref: 0042D875
                                                          • Part of subcall function 00429838: EnterCriticalSection.KERNEL32(?,?,?,00423F79,00000004,0044C938,0000000C,00423FDD,000000E0,00424008,?,004369E6,?,?,?,00443BF8), ref: 00429860
                                                        • GetTimeZoneInformation.KERNEL32(00480CC0,0044D5E0,00000018,0042DE77,0044D5F0,00000008,00429464,?,?,0000003C,00000000,?,?,0000003C,00000000,?), ref: 0042D986
                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00480CC4,000000FF,0000003F,00000000,?,?,0000003C,00000000,?,?,0000003C,00000000,?,00000001), ref: 0042DA14
                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00480D18,000000FF,0000003F,00000000,?,?,0000003C,00000000,?,?,0000003C,00000000,?,00000001), ref: 0042DA48
                                                          • Part of subcall function 0042400B: __lock.LIBCMT ref: 00424029
                                                          • Part of subcall function 0042400B: HeapFree.KERNEL32(00000000,?,0044C948,0000000C,0042981C,00000000,0044CDF0,00000008,00429851,?,?,?,00423F79,00000004,0044C938,0000000C), ref: 00424070
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide__lock$CriticalEnterFreeHeapInformationSectionTimeZone
                                                        • String ID:
                                                        • API String ID: 1400400880-0
                                                        • Opcode ID: 168796f9be6af2e00a1e0c13e8481f7b6c1735c285c48e3457f2838ae12673e8
                                                        • Instruction ID: 9e62acca3ffd8af432368a2c5d68fbdb27d2d3598730482c6caa495fe8d037a2
                                                        • Opcode Fuzzy Hash: 168796f9be6af2e00a1e0c13e8481f7b6c1735c285c48e3457f2838ae12673e8
                                                        • Instruction Fuzzy Hash: 8E711570E082719ED7629B69FC41B5A7BE5EB55310FE4012FE090C72E2DB389986CB5C
                                                        Function 0040F900 Relevance: 4.6, APIs: 3, Instructions: 102comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0040F740: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104,English US,0040D888,?,?,?,English US,?,?), ref: 0040F763
                                                        • CoInitialize.OLE32(00000000), ref: 0040F924
                                                        • CoCreateInstance.OLE32(0044EC20,00000000,00000001,0044EC10,?,?,?), ref: 0040F942
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104), ref: 0040F9F1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$CreateInitializeInstance
                                                        • String ID:
                                                        • API String ID: 2531819542-0
                                                        • Opcode ID: 99c9a9a355a31ff5b2627bd261af38307c2fd3ee9db75f4167302d056152d0f4
                                                        • Instruction ID: d74481e86e668fc06052e60e2a5e486a87dd0838d2a97d2aabe5d75d40d84abb
                                                        • Opcode Fuzzy Hash: 99c9a9a355a31ff5b2627bd261af38307c2fd3ee9db75f4167302d056152d0f4
                                                        • Instruction Fuzzy Hash: FC3119B5204341AFD724CFA0C888E6BB7A9FFC9700F14896DF9459B291D635EC44CB65
                                                        Function 00414F30 Relevance: 4.6, APIs: 3, Instructions: 61fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(?,?,?,?), ref: 00414F47
                                                        • FindClose.KERNEL32(00000000), ref: 00414F81
                                                        • FindClose.KERNEL32(00000000), ref: 00414FA5
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Find$Close$FileFirst
                                                        • String ID:
                                                        • API String ID: 3046750681-0
                                                        • Opcode ID: aa1ead43bb4c2f5695caeebe89723ce1faa210caa242d16a477e1f9ee516e382
                                                        • Instruction ID: c85bec187cc915339fe74b88054a561c9c391bf97f991d5b0ad1c1012243f531
                                                        • Opcode Fuzzy Hash: aa1ead43bb4c2f5695caeebe89723ce1faa210caa242d16a477e1f9ee516e382
                                                        • Instruction Fuzzy Hash: CF219070205201CBD7258F15C854BEBB7E9AFC6325F14866DE4098B3A0D339D843CB95
                                                        Function 004013D0 Relevance: 4.5, APIs: 3, Instructions: 46COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadResource.KERNEL32(?,?), ref: 004013DC
                                                        • LockResource.KERNEL32(00000000), ref: 004013EB
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Resource$LoadLock
                                                        • String ID:
                                                        • API String ID: 1037334470-0
                                                        • Opcode ID: 6a70bf04cb826fafab710c17c709d5ed6c2866ee02fa4e431fdbd7f5c5722625
                                                        • Instruction ID: 4ddbe79ddf29716ed0e0787d15bd08c75ff9431ae36c8441fcffb4845dcff88c
                                                        • Opcode Fuzzy Hash: 6a70bf04cb826fafab710c17c709d5ed6c2866ee02fa4e431fdbd7f5c5722625
                                                        • Instruction Fuzzy Hash: 62F0C83770026147CB305F69EC448ABB7D8EAD27A7705083FFD91E3261D238D84496A8
                                                        Function 00422895 Relevance: 4.5, APIs: 3, Instructions: 37threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetThreadLocale.KERNEL32 ref: 004228A6
                                                        • GetLocaleInfoA.KERNEL32(00000000,00001004,?,00000007), ref: 004228B8
                                                        • GetACP.KERNEL32 ref: 004228E1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Locale$InfoThread
                                                        • String ID:
                                                        • API String ID: 4232894706-0
                                                        • Opcode ID: 9a9126b5ab44d53eca08d5a37bef252a87b9afc98746b44ef76eb446818d1b29
                                                        • Instruction ID: 479ae5959c9c7c33de479cf2c97852b65f57573494026bee3456946d9841ba59
                                                        • Opcode Fuzzy Hash: 9a9126b5ab44d53eca08d5a37bef252a87b9afc98746b44ef76eb446818d1b29
                                                        • Instruction Fuzzy Hash: 1EF0AF31E00234ABC715EBA0E8145EF77A4BB06B41B5142A9E95297250D7B4AE09C799
                                                        Function 00422CCA Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 4e1850cb4fc369c31007ded812cf3d6bfb65e1af0afcb55ba6117de7e84e2072
                                                        • Instruction ID: a4ee6ba57dd3c2eee595af29f84efc58c9f0a8231bf26c2dab4fe45ac8b8fa99
                                                        • Opcode Fuzzy Hash: 4e1850cb4fc369c31007ded812cf3d6bfb65e1af0afcb55ba6117de7e84e2072
                                                        • Instruction Fuzzy Hash: A7F03131310119BBCF059F61EE049AE7B6CAB01344B848426FD16D5121DBBCCA15DB5E
                                                        Function 00413800 Relevance: 3.0, APIs: 2, Instructions: 19fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 00413813
                                                        • FindClose.KERNEL32(00000000), ref: 00413828
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Find$CloseFileFirst
                                                        • String ID:
                                                        • API String ID: 2295610775-0
                                                        • Opcode ID: fddb500a4fd55824f664e50f501a9d257236d6138bad59b67ceea46b7ef6f083
                                                        • Instruction ID: 4b0baa7c04ff5837cf594f603c76cd3553f5a9d2e9049aea6c7cfb4a64392fa4
                                                        • Opcode Fuzzy Hash: fddb500a4fd55824f664e50f501a9d257236d6138bad59b67ceea46b7ef6f083
                                                        • Instruction Fuzzy Hash: D6E0C2B94442402BC200EF35D948AEB77D95B52722F049A1AFCA8822E0D23D984DDA2A
                                                        Function 00414340 Relevance: 3.0, APIs: 2, Instructions: 19fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 00414353
                                                        • FindClose.KERNEL32(00000000), ref: 00414368
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Find$CloseFileFirst
                                                        • String ID:
                                                        • API String ID: 2295610775-0
                                                        • Opcode ID: 19d72f97b7d99f620658749f6876cd35770fc52d9dde7e14b69d7df5d49c560f
                                                        • Instruction ID: d18f64121f5c3201ee76a233fb6b76ca38dcc0ed17e5b9cd94885203bfb14983
                                                        • Opcode Fuzzy Hash: 19d72f97b7d99f620658749f6876cd35770fc52d9dde7e14b69d7df5d49c560f
                                                        • Instruction Fuzzy Hash: 51E0C2B51442442BC2058F34D948AEB77996B82721F048A1ABCB8822E0E23D884DDA3A
                                                        Function 004300E6 Relevance: 1.6, APIs: 1, Instructions: 86COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocaleInfoA.KERNEL32(?,?,?,?), ref: 00430124
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: InfoLocale
                                                        • String ID:
                                                        • API String ID: 2299586839-0
                                                        • Opcode ID: 49441aa0cff18ae934fc5643ef1ebc880345e4c49c2f6849079413433d1452a1
                                                        • Instruction ID: 9765156fe9b1a83bdef1979f2ca03cae94eff32084b8b68ee4d71e9d0dbe4a74
                                                        • Opcode Fuzzy Hash: 49441aa0cff18ae934fc5643ef1ebc880345e4c49c2f6849079413433d1452a1
                                                        • Instruction Fuzzy Hash: AB21B832604106ABDF1C4E38DDE9976BB98EB4C304F446237E402CB291DBABDD45D29D
                                                        Function 0043063C Relevance: 1.5, APIs: 1, Instructions: 36COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EnumSystemLocalesA.KERNEL32(00430320,00000001,00000000,?), ref: 004306A1
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: EnumLocalesSystem
                                                        • String ID:
                                                        • API String ID: 2099609381-0
                                                        • Opcode ID: 30d1be683f272a08c0790b8b21df16f6b30667fd3acbf257a54d3f9a0b35c831
                                                        • Instruction ID: 54d17df95efd4fea5ab28ce8627b56d0c3c169f5056bfa7745a835ac7e03007b
                                                        • Opcode Fuzzy Hash: 30d1be683f272a08c0790b8b21df16f6b30667fd3acbf257a54d3f9a0b35c831
                                                        • Instruction Fuzzy Hash: 41F03C715713019EDBD0DFB8ED2A7693BE1EB85304F506A3EE841822A5C778649E8B0C
                                                        Function 00432551 Relevance: 1.5, APIs: 1, Instructions: 24COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocaleInfoA.KERNEL32(?,00001004,?,00000006), ref: 00432571
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: InfoLocale
                                                        • String ID:
                                                        • API String ID: 2299586839-0
                                                        • Opcode ID: 4d72925202115b99d5d7b8f4edc631b23003b5100efdd5749bbc6799c76358c4
                                                        • Instruction ID: 17f76300287a7d19cbd26b08af8320322d1628fa1681537f1a47a6f7f2395bee
                                                        • Opcode Fuzzy Hash: 4d72925202115b99d5d7b8f4edc631b23003b5100efdd5749bbc6799c76358c4
                                                        • Instruction Fuzzy Hash: 2EE09231B04208BBCB00EBB4ED01B9D77B8AB04318F1042A6F520D72C0EBB496048B59
                                                        Function 004306C2 Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EnumSystemLocalesA.KERNEL32(0043053A,00000001,00000000,004562C0,0042635F,?,004809CC,?,?,00000000,?), ref: 00430700
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: EnumLocalesSystem
                                                        • String ID:
                                                        • API String ID: 2099609381-0
                                                        • Opcode ID: 4c4d0a780be8e05bee1ffec57aaebf5c88fa93bafd2c860e70af7c595655c8b2
                                                        • Instruction ID: f2d345d28478ef9a94cd778bf2c05c4241d0faeb395d53aab50563b5c18227a9
                                                        • Opcode Fuzzy Hash: 4c4d0a780be8e05bee1ffec57aaebf5c88fa93bafd2c860e70af7c595655c8b2
                                                        • Instruction Fuzzy Hash: 77E09AB25B12409ED7909FB1FC1632D3BD1FB85708F505A3EE440822E6C7782488CB1C
                                                        Function 00430605 Relevance: 1.5, APIs: 1, Instructions: 15COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • EnumSystemLocalesA.KERNEL32(0043021B,00000001,00000000,004562C0,0042635F,?,004809CC,?,?,00000000,?), ref: 00430625
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: EnumLocalesSystem
                                                        • String ID:
                                                        • API String ID: 2099609381-0
                                                        • Opcode ID: 60c3cef7e41813c81970e8aa371923ba75d1669c9be8994eebbc24ba15ed5b1e
                                                        • Instruction ID: c519572493f4ad7763061febfb11964ecb3e895afacb9612d552e624a332fddb
                                                        • Opcode Fuzzy Hash: 60c3cef7e41813c81970e8aa371923ba75d1669c9be8994eebbc24ba15ed5b1e
                                                        • Instruction Fuzzy Hash: 6AD05EB0A603046EE7C08FB0BC597693AE0FF81B14F60AA6ED941810E0C6791889C70C
                                                        Function 0040977E Relevance: 1.5, Strings: 1, Instructions: 259COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: I>C6
                                                        • API String ID: 0-4249061742
                                                        • Opcode ID: a8ec43286db01afcb21602a29924e4f5b2e3cc2a61da1e3b6b0abc3c1d55f2df
                                                        • Instruction ID: 1d7c7fa51d6fd7712e89ad4736b1e276954d2018e3ca255088ed4f3cabe0d4b1
                                                        • Opcode Fuzzy Hash: a8ec43286db01afcb21602a29924e4f5b2e3cc2a61da1e3b6b0abc3c1d55f2df
                                                        • Instruction Fuzzy Hash: 7A9128A2D141549BFB108B65DC84AFB7779EFC5310F1881BFD84966286E23C4EC6CA62
                                                        Function 004066A6 Relevance: .2, Instructions: 207COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0b71af411363c5b31ff79ca9f9b35837bc70fbd6aa641db1d7bf35aa7fb8b2d5
                                                        • Instruction ID: b7ae5b33daf960584fee18249ab9ed9e4578956ef2514d115663120865abc85c
                                                        • Opcode Fuzzy Hash: 0b71af411363c5b31ff79ca9f9b35837bc70fbd6aa641db1d7bf35aa7fb8b2d5
                                                        • Instruction Fuzzy Hash: CE81E2A2D156688AF7208A24DC48BEB7775EF91304F1440FAD40DAB381D27E4FD1CB26
                                                        Function 004091A5 Relevance: .2, Instructions: 162COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 856c9227a2b05a1f0ce7acecf49ff0b9dcb657c2adb6ccc5cd3a04a76c7a2527
                                                        • Instruction ID: 8382d2b0150c3c6db36107dcb2af52161e8a1fe35cefba2d326eeb93a76f6704
                                                        • Opcode Fuzzy Hash: 856c9227a2b05a1f0ce7acecf49ff0b9dcb657c2adb6ccc5cd3a04a76c7a2527
                                                        • Instruction Fuzzy Hash: 015137B2E045649BEB20CA69CD94AEF7B76BF81315F1542BAC809632C2D33C5D86CE51
                                                        Function 0041E100 Relevance: .1, Instructions: 102COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: cf73529e59ca414800e33f6a3d27a469329b2531af2a4a51d0323622b91f33b1
                                                        • Instruction ID: a48938021cedc7cb95ed12bdda6726682a3cd92a75fd720a002f5d4c608c8565
                                                        • Opcode Fuzzy Hash: cf73529e59ca414800e33f6a3d27a469329b2531af2a4a51d0323622b91f33b1
                                                        • Instruction Fuzzy Hash: 6331D636A6C4A302D348DE3ADC002737793CBC662AB1DC5B4C684D761AD53FA8439394
                                                        Function 00424250 Relevance: .1, Instructions: 98COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 916adc14e561b3eadea8d50eb96866212fb6a3d63354d9611c4e08656ecd61d3
                                                        • Instruction ID: e4babc745da3f29cc0684a555394302970eda1ca2e39a57ede709b7d6887d096
                                                        • Opcode Fuzzy Hash: 916adc14e561b3eadea8d50eb96866212fb6a3d63354d9611c4e08656ecd61d3
                                                        • Instruction Fuzzy Hash: 0731FB327002149BDB10DF69EC80967BBA5FB84320F85816AED19CB245D735F915C7E1
                                                        Function 00406C00 Relevance: .1, Instructions: 76COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ProtectVirtual
                                                        • String ID:
                                                        • API String ID: 544645111-0
                                                        • Opcode ID: 66f9c3938398093f3fbb39a17f3256d20374abb03f062153750675db454b8d78
                                                        • Instruction ID: 5e08d8435b4f32f083b52ed0820823711811ae7a8b78dfbd9e5038d008351623
                                                        • Opcode Fuzzy Hash: 66f9c3938398093f3fbb39a17f3256d20374abb03f062153750675db454b8d78
                                                        • Instruction Fuzzy Hash: 7821DAF2D041169FF3508A20DD48FB7B779EBC0310F1681BADC0D96A85D63D9AD68952
                                                        Function 00413B40 Relevance: 38.7, APIs: 15, Strings: 7, Instructions: 231registrylibraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32 ref: 00413B5A
                                                        • GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00413B6A
                                                        • GetSystemDirectoryA.KERNEL32(0045DAF8,00000104), ref: 00413B95
                                                        • GetWindowsDirectoryA.KERNEL32(0045DD08,00000104), ref: 00413BA5
                                                        • GetTempPathA.KERNEL32(00000104,0045DE10), ref: 00413BB5
                                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00000001,?,0045DC00,00000104), ref: 00413C4F
                                                        • RegQueryValueExA.ADVAPI32(?,Programs,00000000,?,0045DF18,00000000), ref: 00413C6F
                                                        • RegCloseKey.ADVAPI32(?), ref: 00413C76
                                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00000001,?), ref: 00413CB3
                                                        • RegQueryValueExA.ADVAPI32(?,Desktop,00000000,?,0045E128,00000000), ref: 00413CD4
                                                        • RegCloseKey.ADVAPI32(?), ref: 00413CDB
                                                        • RegOpenKeyExA.ADVAPI32(80000001,Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders,00000000,00000001,?), ref: 00413D18
                                                        • RegQueryValueExA.ADVAPI32(?,Startup,00000000,?,0045E020,00000000), ref: 00413D39
                                                        • RegCloseKey.ADVAPI32(?), ref: 00413D40
                                                        • _strrchr.LIBCMT ref: 00413D9B
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: CloseOpenQueryValue$Directory$AddressLibraryLoadPathProcSystemTempWindows_strrchr
                                                        • String ID: Desktop$Programs$SHGetSpecialFolderPathA$Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders$Startup$\$shell32.dll
                                                        • API String ID: 2602145959-1472001317
                                                        • Opcode ID: 92ba9db9812318cfc1a9f2f595c625348012db5472fe69de8e44692bb1b89c64
                                                        • Instruction ID: e80c763e5b29c7d8e5e42a1ad3f48ff6ca632b4e65f53a447ea04d520f8748cb
                                                        • Opcode Fuzzy Hash: 92ba9db9812318cfc1a9f2f595c625348012db5472fe69de8e44692bb1b89c64
                                                        • Instruction Fuzzy Hash: 9881F630248341AFE310CF24DC56FEB7BD49F85B06F14485DF984AB282DAB8E648875A
                                                        Function 00416F60 Relevance: 30.0, APIs: 3, Strings: 14, Instructions: 259COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00413B40: LoadLibraryA.KERNEL32 ref: 00413B5A
                                                          • Part of subcall function 00413B40: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00413B6A
                                                          • Part of subcall function 00413B40: GetSystemDirectoryA.KERNEL32(0045DAF8,00000104), ref: 00413B95
                                                          • Part of subcall function 00413B40: GetWindowsDirectoryA.KERNEL32(0045DD08,00000104), ref: 00413BA5
                                                          • Part of subcall function 00413B40: GetTempPathA.KERNEL32(00000104,0045DE10), ref: 00413BB5
                                                        • GetCurrentDirectoryA.KERNEL32(00000400,?,Version,?,?,80000002,?,?,?,?), ref: 00417198
                                                        • SetCurrentDirectoryA.KERNEL32(?,?,?,?), ref: 004171A8
                                                        • SetCurrentDirectoryA.KERNEL32(?,dsetup.dll,?,?,?,?), ref: 004171C8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Directory$Current$AddressLibraryLoadPathProcSystemTempWindows
                                                        • String ID: %d.%d.%d$%d.%d.%d.%d$8.1$CD NEWER THAN HD$CD OLDER THAN HD$CD SAME AS HD$Software\Microsoft\DirectX$UNKNOWN$Version$Windows 2000$Windows XP$dsetup.dll$m_DirectXSetupGetVersion is NULL$oops
                                                        • API String ID: 3989195010-3706638769
                                                        • Opcode ID: e409a4f728bf81f7fd36018dbb63c5b94372184be35f8ffd5e55e08342c9a899
                                                        • Instruction ID: 82d168655b0c159cb1636abc6d3beedafcc5df099369e82530c6fe2580bb6615
                                                        • Opcode Fuzzy Hash: e409a4f728bf81f7fd36018dbb63c5b94372184be35f8ffd5e55e08342c9a899
                                                        • Instruction Fuzzy Hash: 19A1A07560C380ABE324DB54C840BEBB7F9EBD5711F10491EF985932C1DB78A889CB5A
                                                        Function 00415BE0 Relevance: 28.2, APIs: 5, Strings: 11, Instructions: 196registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Internet Explorer,00000000,00020019,?), ref: 00415C61
                                                        • RegQueryValueExA.ADVAPI32(?,Version,00000000,00000000,?,?), ref: 00415C92
                                                        • RegQueryValueExA.ADVAPI32(?,IVer,00000000,00000000,?,?), ref: 00415D29
                                                        • RegCloseKey.ADVAPI32(?), ref: 00415E54
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: QueryValue$CloseOpen
                                                        • String ID: %d.%d$100$101$102$103$1215$1300$Build$IVer$Software\Microsoft\Internet Explorer$Version
                                                        • API String ID: 1586453840-2685558121
                                                        • Opcode ID: 5bcbfc358af2fdd4e7f4c7d192685e2c955f14ea2cd7315642f4b601f156518e
                                                        • Instruction ID: de899b3a32cb2af15eaa5d18eb6ecfaec54b5d6c66715f52551f9a2aa385845c
                                                        • Opcode Fuzzy Hash: 5bcbfc358af2fdd4e7f4c7d192685e2c955f14ea2cd7315642f4b601f156518e
                                                        • Instruction Fuzzy Hash: 4861D3B1A047459BEB20DF14D844BEB7BE9EBC8704F144429F6449B380DB789945CB9B
                                                        Function 00416940 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 78libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00416955
                                                        • SetCurrentDirectoryA.KERNEL32(?), ref: 00416969
                                                        • LoadLibraryA.KERNEL32(dsetup.dll), ref: 00416981
                                                        • GetProcAddress.KERNEL32(00000000,DirectXSetupA), ref: 0041699A
                                                        • GetProcAddress.KERNEL32(?,DirectXSetupGetVersion), ref: 004169BE
                                                        • GetProcAddress.KERNEL32(?,DirectXSetupGetEULAA), ref: 004169E2
                                                        • SetCurrentDirectoryA.KERNEL32(?), ref: 004169EC
                                                        • SetCurrentDirectoryA.KERNEL32(?), ref: 00416A18
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectory$AddressProc$LibraryLoad
                                                        • String ID: Cannot get address of DirectXSetupA$Cannot get address of DirectXSetupGetVersion$Could not load dsetup.dll$DirectXSetupA$DirectXSetupGetEULAA$DirectXSetupGetVersion$Dsetup.dll$dsetup.dll
                                                        • API String ID: 3383375925-590746012
                                                        • Opcode ID: 6728013ffcc9761fc737054107d104eea82b8e14e575de02be08ca56f5759ead
                                                        • Instruction ID: 931795e1dae7218fb21f2bd96e0d81854005b1a274691680fd43d5dea92e8a10
                                                        • Opcode Fuzzy Hash: 6728013ffcc9761fc737054107d104eea82b8e14e575de02be08ca56f5759ead
                                                        • Instruction Fuzzy Hash: 2421F5B52413006FE320AB64AD85F9BB7A8DB95B11F11892FFE85D3281DA78D444CB39
                                                        Function 00422B84 Relevance: 28.1, APIs: 8, Strings: 8, Instructions: 78libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(USER32), ref: 00422BAD
                                                        • GetProcAddress.KERNEL32(00000000,GetSystemMetrics), ref: 00422BC9
                                                        • GetProcAddress.KERNEL32(00000000,MonitorFromWindow), ref: 00422BDA
                                                        • GetProcAddress.KERNEL32(00000000,MonitorFromRect), ref: 00422BEB
                                                        • GetProcAddress.KERNEL32(00000000,MonitorFromPoint), ref: 00422BFC
                                                        • GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors), ref: 00422C0D
                                                        • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA), ref: 00422C1E
                                                        • GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesA), ref: 00422C2F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$HandleModule
                                                        • String ID: EnumDisplayDevicesA$EnumDisplayMonitors$GetMonitorInfoA$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
                                                        • API String ID: 667068680-68207542
                                                        • Opcode ID: 810a936632be2ce720fafd58cbae2f49093b75e770282222fd5374265a0f73c0
                                                        • Instruction ID: f307c977e25abfbff0b048e106a8ea6a6bb34d05222bffd66cc64a19540436b9
                                                        • Opcode Fuzzy Hash: 810a936632be2ce720fafd58cbae2f49093b75e770282222fd5374265a0f73c0
                                                        • Instruction Fuzzy Hash: 9D215471A21721AB87959F767EC052FBAF4F649B853A0483FE804E2661C7B88049DF5C
                                                        Function 00410610 Relevance: 26.5, APIs: 4, Strings: 11, Instructions: 257windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetShortPathNameA.KERNEL32(?,?,00000400), ref: 004107BD
                                                        • GetLastError.KERNEL32(00000400,?,00000000,00000000,80000002,?,80000002,?), ref: 00410858
                                                        • FormatMessageA.KERNEL32(00001300,00000000,00000000), ref: 00410866
                                                        • LocalFree.KERNEL32(?), ref: 0041088D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ErrorFormatFreeLastLocalMessageNamePathShort
                                                        • String ID: DirectX Installed$Game Registry$Installed From$Language$Registration$Restart$SOFTWARE\$SOFTWARE\Electronic Arts\%s\%s\ergc$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\$\$can't read setRestartFlag
                                                        • API String ID: 3903020775-341092691
                                                        • Opcode ID: c32baa82a7f6f98c315aa8e896e3d624dc555aa93481c151233e72766c72ea13
                                                        • Instruction ID: 5a2e11cbfe557d20dc58b77cc88c52bee8573eb501d7b283b44b6156cc505af9
                                                        • Opcode Fuzzy Hash: c32baa82a7f6f98c315aa8e896e3d624dc555aa93481c151233e72766c72ea13
                                                        • Instruction Fuzzy Hash: A69122712083429BD714DF24C811BFBB7E1FBD5704F004A2EF99597280DBB9A889C799
                                                        Function 00417AF0 Relevance: 23.0, APIs: 2, Strings: 11, Instructions: 261COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: AddressDirectoryLibraryLoadProc$PathSystemTempWindows
                                                        • String ID: 1.0$DisplayName$Folder$Game Registry$Install Dir$Installed From$Language$LogFile$Product GUID$SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
                                                        • API String ID: 497994091-4186521962
                                                        • Opcode ID: fd9a83773a411c3140b2964d90fa4a7faabc9105b4b52f7f66626ce72de76bc7
                                                        • Instruction ID: 591559e4e45c4ad2df08bd76a610f775a632586859adfb02992c4f405d6477a4
                                                        • Opcode Fuzzy Hash: fd9a83773a411c3140b2964d90fa4a7faabc9105b4b52f7f66626ce72de76bc7
                                                        • Instruction Fuzzy Hash: 8FA1F27110C3819FD714DF10C451BEBB7E5AFD8308F044A6EF98957281EB78AA49CBA6
                                                        Function 0041BD40 Relevance: 22.9, APIs: 8, Strings: 5, Instructions: 172comCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoInitialize.OLE32(00000000), ref: 0041BD52
                                                        • CoCreateInstance.OLE32 ref: 0041BD7A
                                                        • VariantInit.OLEAUT32(?), ref: 0041BE09
                                                        • VariantClear.OLEAUT32(?), ref: 0041BE4B
                                                        • VariantClear.OLEAUT32(?), ref: 0041BE85
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,00000008,0000000A,00000000,00000000), ref: 0041BEBD
                                                        • VariantClear.OLEAUT32(?), ref: 0041BEDB
                                                        • CoUninitialize.OLE32 ref: 0041BF1D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Variant$Clear$ByteCharCreateInitInitializeInstanceMultiUninitializeWide
                                                        • String ID: DxDiag_SystemInfo$dwDirectXVersionMajor$dwDirectXVersionMinor$o$szDirectXVersionLetter
                                                        • API String ID: 2631059323-2475506770
                                                        • Opcode ID: 45ec07c7a0de31864688631775407bbafd12fcb00f604bec3ea34e2fc70ed8bd
                                                        • Instruction ID: b5decee8adbc2d1d78082e6867677709e582f8e87df30048daafc0e7f78e0333
                                                        • Opcode Fuzzy Hash: 45ec07c7a0de31864688631775407bbafd12fcb00f604bec3ea34e2fc70ed8bd
                                                        • Instruction Fuzzy Hash: D3511674208381AFD700CF25C884A9BBBE9EFCA704F04894EF584C7261D779D985CBA6
                                                        Function 0040C000 Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 318sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00414930: LoadLibraryA.KERNEL32(KERNEL32.DLL), ref: 004149A7
                                                          • Part of subcall function 00414930: GetProcAddress.KERNEL32(00000000,CopyFileExA), ref: 004149BC
                                                          • Part of subcall function 00413B40: LoadLibraryA.KERNEL32 ref: 00413B5A
                                                          • Part of subcall function 00413B40: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00413B6A
                                                          • Part of subcall function 00413B40: GetSystemDirectoryA.KERNEL32(0045DAF8,00000104), ref: 00413B95
                                                          • Part of subcall function 00413B40: GetWindowsDirectoryA.KERNEL32(0045DD08,00000104), ref: 00413BA5
                                                          • Part of subcall function 00413B40: GetTempPathA.KERNEL32(00000104,0045DE10), ref: 00413BB5
                                                        • GetFileAttributesA.KERNEL32(?,?,00000000), ref: 0040C0FD
                                                        • SetFileAttributesA.KERNEL32(?,00000000), ref: 0040C10C
                                                        • Sleep.KERNEL32(000001F4), ref: 0040C117
                                                        • Sleep.KERNEL32(000001F4), ref: 0040C12B
                                                        • GetFileAttributesA.KERNEL32(?,?,?,?,?,?,00000000), ref: 0040C30F
                                                        • SetFileAttributesA.KERNEL32(?,00000000,?,?,?,?,?,00000000), ref: 0040C321
                                                        • Sleep.KERNEL32(000001F4,?,?,?,?,?,00000000), ref: 0040C32C
                                                        • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,00000000), ref: 0040C343
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: AttributesFileSleep$AddressDirectoryLibraryLoadProc$PathSystemTempWindows
                                                        • String ID: %s\AutoRun.exe$%s\AutoRunGUI.dll$-restart -dir $Could not copy '%s' to '%s'
                                                        • API String ID: 3057974866-2581532531
                                                        • Opcode ID: 810d8c2733af9ae8c6942495a1338169d26ccf934ceefe30ea92c6f98db7cb64
                                                        • Instruction ID: 5c815c8dee34c80f282a7deb6532afe064d91d0bacc265e00ff7ac027498d6f5
                                                        • Opcode Fuzzy Hash: 810d8c2733af9ae8c6942495a1338169d26ccf934ceefe30ea92c6f98db7cb64
                                                        • Instruction Fuzzy Hash: C8B199B2144340AFD315EBA0CCC5EEB73A9EFC4704F044E2EB58657191EB78A648C79A
                                                        Function 00414AC1 Relevance: 21.1, APIs: 5, Strings: 7, Instructions: 111sleepfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?), ref: 00414B6C
                                                        • Sleep.KERNEL32(000003E8), ref: 00414C0C
                                                        • GetFileAttributesA.KERNEL32(?), ref: 00414C16
                                                        • SetFileAttributesA.KERNEL32(?,00000000), ref: 00414C2A
                                                        • DeleteFileA.KERNEL32(?), ref: 00414C31
                                                          • Part of subcall function 004148D0: SetErrorMode.KERNEL32(00000003,dll,?,?,?,00415470,?), ref: 004148DE
                                                          • Part of subcall function 004148D0: LoadLibraryA.KERNEL32(?), ref: 004148E7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: File$AttributesSleep$DeleteErrorLibraryLoadMode
                                                        • String ID: "%s"$/s /UnregServer$/u /s$Remove$exe$exec: %s /s /UnregServer %s$exec: %s /u /s %s
                                                        • API String ID: 453362645-1631847219
                                                        • Opcode ID: 9dd2204e1dfed614d6ed670284b57bf4dbeac598bc99d4fe6b0502b2ea4f04cc
                                                        • Instruction ID: e8d40a75713b8bd6e37e991760e43156ccab2a69410d603d181e74f7fdc5d718
                                                        • Opcode Fuzzy Hash: 9dd2204e1dfed614d6ed670284b57bf4dbeac598bc99d4fe6b0502b2ea4f04cc
                                                        • Instruction Fuzzy Hash: 7B3126B12883447AF214EB958C42FEB33589FC5719F84495EB648660C2EA7CA10A876F
                                                        Function 00418CF8 Relevance: 19.6, APIs: 5, Strings: 6, Instructions: 341COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID: %s\%s$%s\cache.dat$%s\filelist.txt$\$\$\
                                                        • API String ID: 0-1652018963
                                                        • Opcode ID: 15b3f6a8e9fd8ae56abf2871755b610b3e42f8bae16a0c36f07173fe0882fe20
                                                        • Instruction ID: 2d8a66965c8b461d22716a2f9fc51bb70f3807e377028b73b074f7c4a795e774
                                                        • Opcode Fuzzy Hash: 15b3f6a8e9fd8ae56abf2871755b610b3e42f8bae16a0c36f07173fe0882fe20
                                                        • Instruction Fuzzy Hash: B0C15E715083829FC321DB20D894FEBB7E9AF95308F08495EE5C987241EB38D64DCB96
                                                        Function 00417560 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 153registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegEnumKeyExA.ADVAPI32 ref: 004175AE
                                                        • RegCloseKey.ADVAPI32(00000000,?,00000010), ref: 004175F5
                                                        • RegOpenKeyExA.ADVAPI32 ref: 0041761F
                                                        • RegCloseKey.ADVAPI32(?,?), ref: 0041763F
                                                        • RegDeleteKeyA.ADVAPI32(?,?), ref: 00417651
                                                        • RegCloseKey.ADVAPI32(?), ref: 0041766F
                                                        • RegCloseKey.ADVAPI32(?,00000000,00020019,?,?,00000010), ref: 00417707
                                                        • RegOpenKeyExA.ADVAPI32 ref: 00417731
                                                        • RegDeleteKeyA.ADVAPI32(?,?), ref: 00417744
                                                        • RegCloseKey.ADVAPI32(?), ref: 00417755
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Close$DeleteOpen$Enum
                                                        • String ID: %s\%s
                                                        • API String ID: 2508677364-4073750446
                                                        • Opcode ID: 63449a6486419264ec496a908f54cdc2d242150a30ddc3303bd1de60d41a9935
                                                        • Instruction ID: 890bdd7ef58192d3601e2139cb52636c82b3411bbe28373fb4b23228c678dd54
                                                        • Opcode Fuzzy Hash: 63449a6486419264ec496a908f54cdc2d242150a30ddc3303bd1de60d41a9935
                                                        • Instruction Fuzzy Hash: 8C5191B55087419FD320DF58D884AEBB7F8FB89314F044D2EF99683241D7389A48CB66
                                                        Function 0042B105 Relevance: 19.3, APIs: 6, Strings: 5, Instructions: 71libraryloaderthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,76F90A60,00000000,0042575D), ref: 0042B11D
                                                        • GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 0042B135
                                                        • GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 0042B142
                                                        • GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 0042B14F
                                                        • GetProcAddress.KERNEL32(00000000,FlsFree), ref: 0042B15C
                                                        • GetCurrentThreadId.KERNEL32 ref: 0042B1DA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: AddressProc$CurrentHandleModuleThread
                                                        • String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$kernel32.dll
                                                        • API String ID: 46939698-282957996
                                                        • Opcode ID: fa3fe8352348c15f00598b62091e80e0ddde9f8a27996319b7a897add45f9042
                                                        • Instruction ID: 8343617a602856c7a5069f3be63dd48b7f90f14781bef638d1b05418c87fafc1
                                                        • Opcode Fuzzy Hash: fa3fe8352348c15f00598b62091e80e0ddde9f8a27996319b7a897add45f9042
                                                        • Instruction Fuzzy Hash: D321B0706513609BC7B09FB6BC0592B3BE0EB427B9761093FE800C32A0EB789805DB5D
                                                        Function 00418EC8 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 202COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RemoveDirectoryA.KERNEL32 ref: 00418F96
                                                        • GetTempPathA.KERNEL32(00000104,?), ref: 0041901D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: DirectoryPathRemoveTemp
                                                        • String ID: %s\cache.dat$%s\filelist.txt$\$\$\
                                                        • API String ID: 1713547617-3190903220
                                                        • Opcode ID: 705b8b917ac17cc46dd50b9e20b9345441947519ad2dc100ad309afdfe8fe5d9
                                                        • Instruction ID: 9d8b5efe2bea3eca9e416bc16e4a7f17c4f3e66b95ae640699afb986d6dc11f0
                                                        • Opcode Fuzzy Hash: 705b8b917ac17cc46dd50b9e20b9345441947519ad2dc100ad309afdfe8fe5d9
                                                        • Instruction Fuzzy Hash: B8715B710083869FC331DB20D8A4BE7B7E9AFD9308F04495EE5C987241EB39964DC74A
                                                        Function 00436495 Relevance: 16.6, APIs: 11, Instructions: 120COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 0043649A
                                                        • FindResourceA.KERNEL32(?,00000000,00000005), ref: 004364D2
                                                        • LoadResource.KERNEL32(?,00000000,?,?,?,?,?,?,?,00000064,00000000), ref: 004364DA
                                                          • Part of subcall function 00438DD6: UnhookWindowsHookEx.USER32(?), ref: 00438DFB
                                                        • LockResource.KERNEL32(00000000,?,?,?,?,?,?,?,00000064,00000000), ref: 004364EC
                                                        • GetDesktopWindow.USER32 ref: 00436519
                                                        • IsWindowEnabled.USER32(00000000), ref: 00436527
                                                        • EnableWindow.USER32(00000000,00000000), ref: 00436536
                                                        • EnableWindow.USER32(00000000,00000001), ref: 004365C5
                                                        • GetActiveWindow.USER32 ref: 004365D0
                                                        • SetActiveWindow.USER32(00000000,?,?,?,?,?,?,?,?,00000064,00000000), ref: 004365DE
                                                        • FreeResource.KERNEL32(00000000,?,?,?,?,?,?,?,?,00000064,00000000), ref: 004365FA
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Window$Resource$ActiveEnable$DesktopEnabledFindFreeH_prologHookLoadLockUnhookWindows
                                                        • String ID:
                                                        • API String ID: 833315621-0
                                                        • Opcode ID: e199c737b50d517b0b306a191cb206ffac98a79345493696f53003073e33933f
                                                        • Instruction ID: f6843848d02d9acbe4f9de89053a38c821629bc9e9d675896fa0d8a5ac17685f
                                                        • Opcode Fuzzy Hash: e199c737b50d517b0b306a191cb206ffac98a79345493696f53003073e33933f
                                                        • Instruction Fuzzy Hash: C741D030900706FFCF21AFA5E84976EBBB5BF09715F11403EF501A22A1CB785A41CA5E
                                                        Function 004431A6 Relevance: 15.1, APIs: 10, Instructions: 99memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,004436E2,?,?,?,00442F66,00441F83,00442F82,0043538D), ref: 004431B7
                                                        • GlobalAlloc.KERNEL32(00000002,0047EB48,?,?,?,?,?,?,004436E2,?,?,?,00442F66,00441F83,00442F82,0043538D), ref: 00443208
                                                        • GlobalHandle.KERNEL32(?), ref: 00443211
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 0044321B
                                                        • GlobalReAlloc.KERNEL32(?,0047EB48,00002002), ref: 0044322F
                                                        • GlobalHandle.KERNEL32(?), ref: 00443241
                                                        • GlobalLock.KERNEL32(00000000), ref: 00443248
                                                        • LeaveCriticalSection.KERNEL32(0047EB28,?,?,?,?,?,?,004436E2,?,?,?,00442F66,00441F83,00442F82,0043538D), ref: 00443251
                                                        • GlobalLock.KERNEL32(00000000), ref: 0044325D
                                                        • LeaveCriticalSection.KERNEL32(0047EB28), ref: 004432A5
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock
                                                        • String ID:
                                                        • API String ID: 2667261700-0
                                                        • Opcode ID: 3551d93637448cf2e120c907dbe145befb04d6cacd3523446f38783358951b8d
                                                        • Instruction ID: b0708ac090b4c07532e2f73ad039cb67d6ce4f3aec897b0794ea91f6c69e5c79
                                                        • Opcode Fuzzy Hash: 3551d93637448cf2e120c907dbe145befb04d6cacd3523446f38783358951b8d
                                                        • Instruction Fuzzy Hash: 0A31AB74600704AFEB20CF74CC48A5ABBF9FF86746B014A6EE852C3620DB75EA00CB54
                                                        Function 00437850 Relevance: 15.1, APIs: 10, Instructions: 81stringregistryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00437855
                                                        • GetClassInfoA.USER32(?,?,?), ref: 00437870
                                                        • RegisterClassA.USER32(?), ref: 00437883
                                                        • lstrlenA.KERNEL32(-00000034,00000001), ref: 004378BF
                                                        • lstrlenA.KERNEL32(?), ref: 004378C6
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Classlstrlen$H_prologInfoRegister
                                                        • String ID:
                                                        • API String ID: 3690589370-0
                                                        • Opcode ID: b7666c6804b7a4e1af4ad46b385648ce39fa1e020673036b6e24608731eaa827
                                                        • Instruction ID: d06448f70216e37ad6dd6e7a27fae02cd191811b199e5e129bd5a26421677b7e
                                                        • Opcode Fuzzy Hash: b7666c6804b7a4e1af4ad46b385648ce39fa1e020673036b6e24608731eaa827
                                                        • Instruction Fuzzy Hash: 2431F7B1904109FFDF11AFA0CD05BAEBFB4FF09315F004126F845A2251C7389A11DB99
                                                        Function 00436288 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 172COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 0043628D
                                                        • GetSystemMetrics.USER32(0000002A), ref: 00436351
                                                        • GlobalLock.KERNEL32(00000000), ref: 004363BC
                                                        • CreateDialogIndirectParamA.USER32(?,?,?,00435D22,00000000), ref: 004363EB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: CreateDialogGlobalH_prologIndirectLockMetricsParamSystem
                                                        • String ID: MS Shell Dlg
                                                        • API String ID: 2364537584-76309092
                                                        • Opcode ID: 99dbcdcf67a2fa19b37189b7afad9b74a6c17b04bf948d761a6e24d7af02056e
                                                        • Instruction ID: 760bf385a5f842c8bc42ff6da57cfb0a7f61815e02265039a4cce4437fa5ada3
                                                        • Opcode Fuzzy Hash: 99dbcdcf67a2fa19b37189b7afad9b74a6c17b04bf948d761a6e24d7af02056e
                                                        • Instruction Fuzzy Hash: 4951C230D00206AFCF10EFA4C8859EEBBB5EF49314F15966EF812E7291D7388944CB99
                                                        Function 0040C530 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 169COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(00000000), ref: 0040C539
                                                        • GetCurrentDirectoryA.KERNEL32(00000104,?,?,?,?,00000000,00000000), ref: 0040C595
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectoryHandleModule
                                                        • String ID: %s\AutoRun$%s\DirectX$%s\Support$1.0$EA Game$Electronic Arts
                                                        • API String ID: 1119135582-703046973
                                                        • Opcode ID: 5b90b398e6f57ffb548b6c37434c464d42cee5ee5af4ff8ab7da3a7af927fe98
                                                        • Instruction ID: 2134d4b6efddb0738bd5c58a3c99903547b8c6aa91fdd798fafc08fe3100bd3d
                                                        • Opcode Fuzzy Hash: 5b90b398e6f57ffb548b6c37434c464d42cee5ee5af4ff8ab7da3a7af927fe98
                                                        • Instruction Fuzzy Hash: 0A71C675209B40DFC325DF39D8949D7BBE9AF9A304B04486EE4AE83341DB347609CB69
                                                        Function 0040A209 Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 103filesleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Sleep.KERNEL32(00000064,?,?,?,00000000,00000001), ref: 0040A2E1
                                                        • DeleteFileA.KERNEL32(?), ref: 0040A2EF
                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0040A2FB
                                                        • FindClose.KERNEL32(00000000), ref: 0040A30A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: FileFind$CloseDeleteNextSleep
                                                        • String ID: %s\%s$Exit runGameSpecificExe$exec: %s with commandline '%s'$runGameSpecificExe
                                                        • API String ID: 46525011-3194912456
                                                        • Opcode ID: f88a99f2cf955ab3dfb7e5dcc2acc13efac38cdfb38a8472e61c3695a088981e
                                                        • Instruction ID: 7511dff2b348f996f6420e377bb50597cd3438be433f07267ca9a05eeeba9e8e
                                                        • Opcode Fuzzy Hash: f88a99f2cf955ab3dfb7e5dcc2acc13efac38cdfb38a8472e61c3695a088981e
                                                        • Instruction Fuzzy Hash: 6831D97114C3809BE724DF64CC55FDB73A8EFC4704F44492EB98953281DB79A609CB6A
                                                        Function 0043BF48 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 60COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetStockObject.GDI32(00000011), ref: 0043BF6C
                                                        • GetStockObject.GDI32(0000000D), ref: 0043BF74
                                                        • GetObjectA.GDI32(00000000,0000003C,?), ref: 0043BF81
                                                        • GetDC.USER32(00000000), ref: 0043BF90
                                                        • GetDeviceCaps.GDI32(00000000,0000005A), ref: 0043BFA4
                                                        • MulDiv.KERNEL32(00000000,00000048,00000000), ref: 0043BFB0
                                                        • ReleaseDC.USER32(00000000,00000000), ref: 0043BFBB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Object$Stock$CapsDeviceRelease
                                                        • String ID: System
                                                        • API String ID: 46613423-3470857405
                                                        • Opcode ID: 34a5214d701ba711fae31cd4acf1fda7a807ca5a63d6224fd731787f2f7bba35
                                                        • Instruction ID: 481e154c11c6ec21bb8af5e6b4aac1b2a550fc1cfe250600bab0cbb86326bdff
                                                        • Opcode Fuzzy Hash: 34a5214d701ba711fae31cd4acf1fda7a807ca5a63d6224fd731787f2f7bba35
                                                        • Instruction Fuzzy Hash: A0118271A00218EBEB10ABA0DC45B9E7B78FF4A745F11502AF705A7180D7759D41CBA9
                                                        Function 0042927A Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 227COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __allrem.LIBCMT ref: 00429332
                                                        • __allrem.LIBCMT ref: 0042934A
                                                        • __allrem.LIBCMT ref: 00429366
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004293A1
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004293BD
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004293D4
                                                          • Part of subcall function 0042DE49: __lock.LIBCMT ref: 0042DE61
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@$__lock
                                                        • String ID: E
                                                        • API String ID: 4106114094-3568589458
                                                        • Opcode ID: aaac0a06de98a6c5265680b534b20e34d2e0e22544bf7e6c6545f1dd7536289e
                                                        • Instruction ID: 1f7421b91edd23947d41c505488e0d727590d15bd34b202d747290f0fbd76ec4
                                                        • Opcode Fuzzy Hash: aaac0a06de98a6c5265680b534b20e34d2e0e22544bf7e6c6545f1dd7536289e
                                                        • Instruction Fuzzy Hash: AF716F71F00229AFDF14EFA9DC81BAEB7B5BB48314F54816AE514E3281D378AE418B54
                                                        Function 00410E60 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 137windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000400,?,00000000,00000000,80000002,?), ref: 00410FA8
                                                        • FormatMessageA.KERNEL32(00001300,00000000,00000000), ref: 00410FB6
                                                        • LocalFree.KERNEL32(?,00000000,?,setCacheSize,00000000), ref: 00410FD4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ErrorFormatFreeLastLocalMessage
                                                        • String ID: %I64d$CacheSize$SOFTWARE\$setCacheSize
                                                        • API String ID: 1365068426-3604744950
                                                        • Opcode ID: 1ee531c31d12cf5101876a09b6169a8202d76be421a50b507f7c5515bb9b7c56
                                                        • Instruction ID: 601950fcef0dd2d4f76d757b2b0c535ca4c20b87e929a9b96b2bb7084ee85d76
                                                        • Opcode Fuzzy Hash: 1ee531c31d12cf5101876a09b6169a8202d76be421a50b507f7c5515bb9b7c56
                                                        • Instruction Fuzzy Hash: DF4127712083429BD324DF28C811BBBB7E5FBC9704F104A1EF99597280DBB5A846C79A
                                                        Function 00417940 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 126COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileVersionInfoSizeA.VERSION(?,?,?,?,76FA4B00), ref: 00417983
                                                        • GetFileVersionInfoA.VERSION(?,?,00000000,00000000,?,76FA4B00), ref: 004179C5
                                                        • VerQueryValueA.VERSION(00000000,\VarFileInfo\Translation,0047E5B0,?,?,?,00000000,00000000,?,76FA4B00), ref: 004179E2
                                                        • wsprintfA.USER32 ref: 00417A16
                                                        • VerQueryValueA.VERSION(00000000,00000000,?,?,?,?,00000000,00000000,?,76FA4B00), ref: 00417A27
                                                        Strings
                                                        • \StringFileInfo\%04x%04x\FileVersion, xrefs: 00417A10
                                                        • \VarFileInfo\Translation, xrefs: 004179DC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: FileInfoQueryValueVersion$Sizewsprintf
                                                        • String ID: \StringFileInfo\%04x%04x\FileVersion$\VarFileInfo\Translation
                                                        • API String ID: 2824581984-2452293203
                                                        • Opcode ID: 1d9a52a8851d63ee804a5414a862a7779f5d1fc8b53472c1e3fbd0a87d9fc535
                                                        • Instruction ID: 9c2dee7650dbba52f5ac2e6fe99141784f30488717657b5f3132d8fa3abcba4e
                                                        • Opcode Fuzzy Hash: 1d9a52a8851d63ee804a5414a862a7779f5d1fc8b53472c1e3fbd0a87d9fc535
                                                        • Instruction Fuzzy Hash: 5F41E3315482419FD321DA69D841EEFB7E89FD9344F04491EF88587201EA3CDA4A8BA6
                                                        Function 0040A590 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 116sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00414930: LoadLibraryA.KERNEL32(KERNEL32.DLL), ref: 004149A7
                                                          • Part of subcall function 00414930: GetProcAddress.KERNEL32(00000000,CopyFileExA), ref: 004149BC
                                                          • Part of subcall function 00426C93: SetCurrentDirectoryA.KERNEL32(?,0044CC10,00000128,0040A5D1), ref: 00426CC2
                                                          • Part of subcall function 00426C93: GetCurrentDirectoryA.KERNEL32(00000105,?), ref: 00426CD8
                                                          • Part of subcall function 00426C93: GetCurrentDirectoryA.KERNEL32(00000001), ref: 00426D49
                                                          • Part of subcall function 00426C93: SetEnvironmentVariableA.KERNEL32(0000003D,?), ref: 00426D90
                                                          • Part of subcall function 00426C93: GetLastError.KERNEL32 ref: 00426DA0
                                                        • SystemParametersInfoA.USER32(00002000,00000000,?,00000000), ref: 0040A684
                                                        • SystemParametersInfoA.USER32(00002001,00000000,00000000,00000003), ref: 0040A691
                                                        • ShellExecuteA.SHELL32(00000000,open,00000000,00000000,00000000,0000000A), ref: 0040A6A5
                                                        • SystemParametersInfoA.USER32(00002000,00000000,?,00000003), ref: 0040A6BF
                                                        • Sleep.KERNEL32(000003E8,?,?,00000000,?,00000001,?,?,?), ref: 0040A6D5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectoryInfoParametersSystem$AddressEnvironmentErrorExecuteLastLibraryLoadProcShellSleepVariable
                                                        • String ID: %s\%s$open
                                                        • API String ID: 2525041801-538903891
                                                        • Opcode ID: 97b1c8c1cea925d2cb8383ba4e54c426de6b480b2f674ba75319d6ce7982ba23
                                                        • Instruction ID: 2af7baaca54277b22fbb167bc7bcba665f60fb619d4bc69c6d1dc5b5fddf270f
                                                        • Opcode Fuzzy Hash: 97b1c8c1cea925d2cb8383ba4e54c426de6b480b2f674ba75319d6ce7982ba23
                                                        • Instruction Fuzzy Hash: 5741C672184340ABE220DF54EC42FEBB7A8EB98B10F04092EB695571C1DB75A518C7AB
                                                        Function 0042CD8E Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 115fileCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 0042CE0F
                                                        • GetStdHandle.KERNEL32(000000F4,0044D548,00000000,?,00000000,00000000,00000000,00000000), ref: 0042CEDC
                                                        • WriteFile.KERNEL32(00000000), ref: 0042CEE3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: File$HandleModuleNameWrite
                                                        • String ID: ...$<program name unknown>$Microsoft Visual C++ Runtime Library$Runtime Error!Program:
                                                        • API String ID: 3784150691-4022980321
                                                        • Opcode ID: 0650768163dc9c4f50a05eeedea7922e1b2777f21abb24aa52f7481acea4e2f8
                                                        • Instruction ID: c978e48409516c837b9f7d6b109fcdf73a8d35c650ed7adbf1cf9c7f4bbfdedb
                                                        • Opcode Fuzzy Hash: 0650768163dc9c4f50a05eeedea7922e1b2777f21abb24aa52f7481acea4e2f8
                                                        • Instruction Fuzzy Hash: 84311532700224ABDB20AB75BCC2EAF3769EB45314FA1082FF515E3193DE3C9955866C
                                                        Function 0044399E Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 105stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(?,?,00000104,?,?), ref: 004439DF
                                                        • PathFindExtensionA.SHLWAPI(?), ref: 004439F9
                                                        • lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 00443A93
                                                        • lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00443AC0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ExtensionFileFindModuleNamePathlstrcatlstrcpy
                                                        • String ID: .CHM$.HLP$.INI
                                                        • API String ID: 2140653559-4017452060
                                                        • Opcode ID: ced7ff398e87d1135350ecddd8461c4ca43fbd78145f9f545ec3a784a9eb423a
                                                        • Instruction ID: 3da9f7d339a1fb26a9a14cda2295bd93ec93db32f178aaf1e18dcb2e1e69cc93
                                                        • Opcode Fuzzy Hash: ced7ff398e87d1135350ecddd8461c4ca43fbd78145f9f545ec3a784a9eb423a
                                                        • Instruction Fuzzy Hash: 6E415D719407089FEB70EFA9D884A9A77E8BF08705F10482FF585D7241EB789640CB29
                                                        Function 0042B312 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 97COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104,0044D0A0,00000118,004247AD,00000001,00000000,0044C958,00000008,0042CEFA,00000000,00000000,00000000), ref: 0042B393
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: FileModuleName
                                                        • String ID: ...$<program name unknown>$Buffer overrun detected!$Microsoft Visual C++ Runtime Library$Program: $Unknown security failure detected!
                                                        • API String ID: 514040917-1673886896
                                                        • Opcode ID: 7b7436470715e0ab242502db6aa4f86c5c1c566535bae1bf5ed96faf37d5266a
                                                        • Instruction ID: b314efe4c5fffc74cec8ecc2e7cadf2550e4b4112e7a556f74e2c9ec29160370
                                                        • Opcode Fuzzy Hash: 7b7436470715e0ab242502db6aa4f86c5c1c566535bae1bf5ed96faf37d5266a
                                                        • Instruction Fuzzy Hash: 2A312331B012246BE701AB61AC82F9F37699F04718FA4406FF510A7293CB3C9A254B9D
                                                        Function 00426C93 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 77COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetCurrentDirectoryA.KERNEL32(?,0044CC10,00000128,0040A5D1), ref: 00426CC2
                                                        • GetCurrentDirectoryA.KERNEL32(00000105,?), ref: 00426CD8
                                                        • GetCurrentDirectoryA.KERNEL32(00000001), ref: 00426D49
                                                        • SetEnvironmentVariableA.KERNEL32(0000003D,?), ref: 00426D90
                                                        • GetLastError.KERNEL32 ref: 00426DA0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectory$EnvironmentErrorLastVariable
                                                        • String ID: :$=
                                                        • API String ID: 373561786-2134709475
                                                        • Opcode ID: d246460a0d1c12df66941f8161f6431982f52375665ff665cc06cfe1cca94e64
                                                        • Instruction ID: 7366dd2e4e53350f74b67eef3e98498b2befc9c9fea16cefb053c97ee1566376
                                                        • Opcode Fuzzy Hash: d246460a0d1c12df66941f8161f6431982f52375665ff665cc06cfe1cca94e64
                                                        • Instruction Fuzzy Hash: C031DB71A042784BCB219F64AC456DEBBB4AF4A314F85019FE49492251CB385E91CF59
                                                        Function 00430910 Relevance: 12.2, APIs: 8, Instructions: 196COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LCMapStringW.KERNEL32(00000000,00000100,0044D18C,00000001,00000000,00000000,0044EA38,00000024,00426AC8,?,00000100,00000100,00000001,?,00000001,?), ref: 00430937
                                                        • GetLastError.KERNEL32 ref: 00430949
                                                        • LCMapStringW.KERNEL32(?,00000100,?,?,?,?,0044EA38,00000024,00426AC8,?,00000100,00000100,00000001,?,00000001,?), ref: 0043099B
                                                        • WideCharToMultiByte.KERNEL32(?,00000000,?,?,00000000,00000000,00000000,00000000,0044EA38,00000024,00426AC8,?,00000100,00000100,00000001,?), ref: 004309F6
                                                        • WideCharToMultiByte.KERNEL32(?,00000000,?,?,?,?,00000000,00000000), ref: 00430A68
                                                        • LCMapStringA.KERNEL32(?,00000100,?,?,00000000,00000000), ref: 00430A84
                                                        • LCMapStringA.KERNEL32(?,00000100,?,?,?,00000000), ref: 00430AF0
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: String$ByteCharMultiWide$ErrorLast
                                                        • String ID:
                                                        • API String ID: 1775797328-0
                                                        • Opcode ID: d41239965e63cfd970b332cf328efa988257490f0232b29b65bb4f0480a62afa
                                                        • Instruction ID: c75369914bf4c3845868e9c525b061c252f4a32f5de875d7f1cb08cbfcae34e4
                                                        • Opcode Fuzzy Hash: d41239965e63cfd970b332cf328efa988257490f0232b29b65bb4f0480a62afa
                                                        • Instruction Fuzzy Hash: 42717CB180020AAFDF119FA1DC919AFBB75FF09358F14522AFA14A22A0C3398951DF59
                                                        Function 0042D3D4 Relevance: 12.1, APIs: 8, Instructions: 131COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetEnvironmentStringsW.KERNEL32(76F90A60,00000000,?,?,?,?,00425792), ref: 0042D3F0
                                                        • GetLastError.KERNEL32(?,?,?,?,00425792), ref: 0042D404
                                                        • GetEnvironmentStringsW.KERNEL32(76F90A60,00000000,?,?,?,?,00425792), ref: 0042D426
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000000,00000000,00000000,76F90A60,00000000,?,?,?,?,00425792), ref: 0042D45A
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000,00000000,?,?,?,?,00425792), ref: 0042D47C
                                                        • FreeEnvironmentStringsW.KERNEL32(00000000,?,?,?,?,00425792), ref: 0042D495
                                                        • GetEnvironmentStrings.KERNEL32(76F90A60,00000000,?,?,?,?,00425792), ref: 0042D4AB
                                                        • FreeEnvironmentStringsA.KERNEL32(00000000), ref: 0042D4E7
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: EnvironmentStrings$ByteCharFreeMultiWide$ErrorLast
                                                        • String ID:
                                                        • API String ID: 883850110-0
                                                        • Opcode ID: 7c0e9ceb1b89135fe4a9d1fa8d699901a3612c02d2d8f3092bb4031cb0782976
                                                        • Instruction ID: 472f25f2f3a0fa31c34653a7449e3421f98c337e42acfa1e6a6286993b93246e
                                                        • Opcode Fuzzy Hash: 7c0e9ceb1b89135fe4a9d1fa8d699901a3612c02d2d8f3092bb4031cb0782976
                                                        • Instruction Fuzzy Hash: 7731F2B2F042746FD7207F75BC8493BB6ACEA463587A60A3FF545C3201D639AC41866E
                                                        Function 00433F37 Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 228COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ___shr_12
                                                        • String ID: 1#IND$1#INF$1#QNAN$1#SNAN$?
                                                        • API String ID: 2664560246-4131533671
                                                        • Opcode ID: 4b8e6def9552c1202eea0ba84a5de56f779700fe3167f20e2eff2db3fdceabcc
                                                        • Instruction ID: 0f9e25a5ffa5b16699b39da3e8b3db3c94cd76f7283178b2ef22f30a253709ab
                                                        • Opcode Fuzzy Hash: 4b8e6def9552c1202eea0ba84a5de56f779700fe3167f20e2eff2db3fdceabcc
                                                        • Instruction Fuzzy Hash: A7816B32D0429A8EDF11CF64C8847EF7BB4AF69314F04659BD850DB282D37CA645C7A9
                                                        Function 004318D6 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 216COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0042AF1E: GetLastError.KERNEL32(?,00000000,00427906,004297FA,00000000,0044CDF0,00000008,00429851,?,?,?,00423F79,00000004,0044C938,0000000C,00423FDD), ref: 0042AF20
                                                          • Part of subcall function 0042AF1E: GetCurrentThreadId.KERNEL32 ref: 0042AF6D
                                                          • Part of subcall function 0042AF1E: SetLastError.KERNEL32(00000000,?,00423F79,00000004,0044C938,0000000C,00423FDD,000000E0,00424008,?,004369E6,?,?,?,00443BF8,0000000C), ref: 0042AF84
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00431948
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00431A45
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00431A9E
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00431ABB
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00431ADE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$ErrorLast$CurrentThread
                                                        • String ID: mE
                                                        • API String ID: 1370660682-852767849
                                                        • Opcode ID: c2dcebb36319edd70676e459f0a5d254ae91aab08204ccce42ffd6f39de6015d
                                                        • Instruction ID: c8d6d545ca8254b81aa9c793cbca4ed0fd90ebe6b659f5e3f0dc62acac4ae604
                                                        • Opcode Fuzzy Hash: c2dcebb36319edd70676e459f0a5d254ae91aab08204ccce42ffd6f39de6015d
                                                        • Instruction Fuzzy Hash: 0B61C4B6B00315AFDB14AF99CC41BAEB2B6EF88314F64452FF50097291D7B99D008B58
                                                        Function 00411D90 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 204windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLogicalDrives.KERNEL32 ref: 00411E74
                                                        • GetDriveTypeA.KERNEL32(?), ref: 00411EA7
                                                        • MessageBoxA.USER32(00000000,?,00446A11,00000001), ref: 00411F83
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: DriveDrivesLogicalMessageType
                                                        • String ID: %c:\$\Disk Images\$\Disk Images\Disk%d
                                                        • API String ID: 1359937597-868800301
                                                        • Opcode ID: 20a5b543cae7431728be2df829a806b0f4fddcccfd8a459fcba469ec6eaf2425
                                                        • Instruction ID: 8afbe327e4d74a6595be96fadd5310b57a40e0fcd72e5554749058cd2a1246b8
                                                        • Opcode Fuzzy Hash: 20a5b543cae7431728be2df829a806b0f4fddcccfd8a459fcba469ec6eaf2425
                                                        • Instruction Fuzzy Hash: 7061D2712043409BD330DB94DC81FEBB7E9EBC9310F44091FFA8987241EA79A945CB6A
                                                        Function 00432594 Relevance: 10.7, APIs: 7, Instructions: 169COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCPInfo.KERNEL32(?,?,0044EB50,00000038,0042C533,?,00000000,?,?,00000000,00000000,0044D190,0000001C,0042CD7C,00000001,?), ref: 004325D2
                                                        • GetCPInfo.KERNEL32(?,00000001,?,?,0042C39D,?,?,00000008,?,?,00424C62,?,?,?,?,00402BBF), ref: 004325E5
                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,00000000,?,?,0042C39D,?,?,00000008,?,?,00424C62,?), ref: 0043262A
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Info$ByteCharMultiWide
                                                        • String ID:
                                                        • API String ID: 1166650589-0
                                                        • Opcode ID: be422299c7746ac2b38f3bb3e6242e5a1681e52eba28ec17eee5157774e3f445
                                                        • Instruction ID: ea13df6ffc39fcabe32b01fc689c9ae28562827eed5415b20872082be15f5b55
                                                        • Opcode Fuzzy Hash: be422299c7746ac2b38f3bb3e6242e5a1681e52eba28ec17eee5157774e3f445
                                                        • Instruction Fuzzy Hash: E6519C70901218FBCF218F65ED858AFBBB8FF89750F20512AF814A2250D7755D41CB68
                                                        Function 004387D2 Relevance: 10.6, APIs: 7, Instructions: 115windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetParent.USER32(?), ref: 00438800
                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 00438827
                                                        • UpdateWindow.USER32(?), ref: 00438841
                                                        • SendMessageA.USER32(?,00000121,00000000,?), ref: 00438865
                                                        • SendMessageA.USER32(?,0000036A,00000000,00000004), ref: 0043887F
                                                        • UpdateWindow.USER32(?), ref: 004388C5
                                                        • PeekMessageA.USER32(?,00000000,00000000,00000000,00000000), ref: 004388F9
                                                          • Part of subcall function 00437534: GetWindowLongA.USER32(?,000000F0), ref: 0043753F
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Message$Window$PeekSendUpdate$LongParent
                                                        • String ID:
                                                        • API String ID: 2853195852-0
                                                        • Opcode ID: b13282f9b8ac6db00a8496b55bdebc49f6485c126065f6b24774a09cd2d7802b
                                                        • Instruction ID: 084587f8be8d29286b758f10d7e9662302e5aba9923b57fea7a2f2edceff8d6b
                                                        • Opcode Fuzzy Hash: b13282f9b8ac6db00a8496b55bdebc49f6485c126065f6b24774a09cd2d7802b
                                                        • Instruction Fuzzy Hash: 3E410330208741AFDB25AF26DC44A2BFAF0FFC9B44F50192EF581911A1CB3AC905CA5A
                                                        Function 00443492 Relevance: 10.6, APIs: 7, Instructions: 96memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • EnterCriticalSection.KERNEL32(?,00000000,?,?,?,?,0044370A,?,00000000,?,?,?,?,00442F66,00441F83,00442F82), ref: 004434A2
                                                        • TlsGetValue.KERNEL32(?,?,?,?,?,0044370A,?,00000000,?,?,?,?,00442F66,00441F83,00442F82,0043538D), ref: 004434C0
                                                        • LocalAlloc.KERNEL32(00000000,?,00000010,?,?,?,?,0044370A,?,00000000,?,?,?,?,00442F66,00441F83), ref: 0044351C
                                                        • LocalReAlloc.KERNEL32(?,?,00000002,00000010,?,?,?,?,0044370A,?,00000000,?,?,?,?,00442F66), ref: 0044352E
                                                        • LeaveCriticalSection.KERNEL32(0047EB28,?,?,?,?,0044370A,?,00000000,?,?,?,?,00442F66,00441F83,00442F82,0043538D), ref: 0044353B
                                                        • TlsSetValue.KERNEL32(?,00000000), ref: 0044356B
                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,?,0044370A,?,00000000,?,?,?,?,00442F66,00441F83,00442F82,0043538D), ref: 0044358C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$AllocLeaveLocalValue$Enter
                                                        • String ID:
                                                        • API String ID: 784703316-0
                                                        • Opcode ID: eec5c9af0761aab35826935f94150f19e31b1a8781ee2cce32ef685509deae95
                                                        • Instruction ID: c920ea616b6941ccf4a41ae28c234557be8e43c86538256f6915913f71204ac3
                                                        • Opcode Fuzzy Hash: eec5c9af0761aab35826935f94150f19e31b1a8781ee2cce32ef685509deae95
                                                        • Instruction Fuzzy Hash: 2F31ABB1500615BFEB24EF55D885C6ABBA8FB057117108A2EE81683610CB34FE50CB99
                                                        Function 00422D35 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 62stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SystemParametersInfoA.USER32(00000030,00000000,?,00000000), ref: 00422D73
                                                        • GetSystemMetrics.USER32(00000000), ref: 00422D8B
                                                        • GetSystemMetrics.USER32(00000001), ref: 00422D92
                                                        • lstrcpynA.KERNEL32(?,DISPLAY,00000020), ref: 00422DB8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: System$Metrics$InfoParameterslstrcpyn
                                                        • String ID: B$DISPLAY
                                                        • API String ID: 2307409384-3316187204
                                                        • Opcode ID: 9cba5b6c645de5270ad7bb0fc0d991fcef33e3317d4237bbf04082c5b1e7876e
                                                        • Instruction ID: 3a1a5f33e973a52794829ba86540b2c4864c641d0816d9ff10fb2a82ff3ca36e
                                                        • Opcode Fuzzy Hash: 9cba5b6c645de5270ad7bb0fc0d991fcef33e3317d4237bbf04082c5b1e7876e
                                                        • Instruction Fuzzy Hash: 6111A371710334BBCF119F64AD8475BBBA9FF06B50B808466FD05AA145C2F4D801CBA9
                                                        Function 00414930 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 46libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00413B40: LoadLibraryA.KERNEL32 ref: 00413B5A
                                                          • Part of subcall function 00413B40: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00413B6A
                                                          • Part of subcall function 00413B40: GetSystemDirectoryA.KERNEL32(0045DAF8,00000104), ref: 00413B95
                                                          • Part of subcall function 00413B40: GetWindowsDirectoryA.KERNEL32(0045DD08,00000104), ref: 00413BA5
                                                          • Part of subcall function 00413B40: GetTempPathA.KERNEL32(00000104,0045DE10), ref: 00413BB5
                                                        • LoadLibraryA.KERNEL32(KERNEL32.DLL), ref: 004149A7
                                                        • GetProcAddress.KERNEL32(00000000,CopyFileExA), ref: 004149BC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: AddressDirectoryLibraryLoadProc$PathSystemTempWindows
                                                        • String ID: %s\%s$CopyFileExA$KERNEL32.DLL$regsvr32.exe
                                                        • API String ID: 497994091-3394410207
                                                        • Opcode ID: f16401c018e7ab3dd646ff1cf7d5aa2520a8f58c01eea981e63cfe2fbc3b7bc5
                                                        • Instruction ID: dbb7616a5e8e18c7340fb9c6e1b10d6890d2dd053081ddfc01aae21a589600a4
                                                        • Opcode Fuzzy Hash: f16401c018e7ab3dd646ff1cf7d5aa2520a8f58c01eea981e63cfe2fbc3b7bc5
                                                        • Instruction Fuzzy Hash: 6B112570108340AFD318DF54DC06BDA7BA4E745B15F400A2EB595932D2EB7C5144CB5A
                                                        Function 00443AEC Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 38libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetErrorMode.KERNEL32(00000000,00000000,0043D1B4,?,?,?,?,76F90A60,00000000,?,00425801,00000000), ref: 00443AF5
                                                        • SetErrorMode.KERNEL32(00000000,?,00425801,00000000), ref: 00443AFD
                                                        • GetModuleHandleA.KERNEL32(user32.dll,00425801,00000000), ref: 00443B48
                                                        • GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 00443B58
                                                          • Part of subcall function 0044399E: GetModuleFileNameA.KERNEL32(?,?,00000104,?,?), ref: 004439DF
                                                          • Part of subcall function 0044399E: PathFindExtensionA.SHLWAPI(?), ref: 004439F9
                                                          • Part of subcall function 0044399E: lstrcpyA.KERNEL32(?,.HLP,?,?,00000104), ref: 00443A93
                                                          • Part of subcall function 0044399E: lstrcatA.KERNEL32(?,.INI,?,?,00000104), ref: 00443AC0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ErrorModeModule$AddressExtensionFileFindHandleNamePathProclstrcatlstrcpy
                                                        • String ID: NotifyWinEvent$user32.dll
                                                        • API String ID: 4004864024-597752486
                                                        • Opcode ID: eced104bb2dd26ae009b150a134447d401b323aa7f3da8792df851434d666933
                                                        • Instruction ID: dbd96a4b6eaa2b3b5d1619ca9b628c41ce02e38444e38533f865fee5f1778688
                                                        • Opcode Fuzzy Hash: eced104bb2dd26ae009b150a134447d401b323aa7f3da8792df851434d666933
                                                        • Instruction Fuzzy Hash: BE018B74A003515FE710AF25D849B0E3BE8AF44B05F0684AFF448C7262DB78D945CB6E
                                                        Function 004294D7 Relevance: 9.2, APIs: 6, Instructions: 197COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 004318D6: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00431948
                                                        • __allrem.LIBCMT ref: 004295EA
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042960B
                                                        • __allrem.LIBCMT ref: 00429627
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0042964A
                                                        • __allrem.LIBCMT ref: 00429666
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00429689
                                                          • Part of subcall function 0042DE95: __lock.LIBCMT ref: 0042DEA3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$__allrem$__lock
                                                        • String ID:
                                                        • API String ID: 1282128132-0
                                                        • Opcode ID: 2b8efb0c4cd6615b4bf4a7a735cd704fbe2f32d7777add60ba098c4bbfda7f1b
                                                        • Instruction ID: 20045b1a01943ce18175a09da68eb3b3dac957ec16cd292ee12873f349e9aca1
                                                        • Opcode Fuzzy Hash: 2b8efb0c4cd6615b4bf4a7a735cd704fbe2f32d7777add60ba098c4bbfda7f1b
                                                        • Instruction Fuzzy Hash: B861E171B00215AFDB28CF69E88096EBBF5FB44314F64812FE055D3291E738AE85CB18
                                                        Function 004336D1 Relevance: 9.2, APIs: 6, Instructions: 181processsynchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateProcessA.KERNEL32(?,?,00000000,00000000,00000001,?,?,00000000,?,?), ref: 00433834
                                                        • GetLastError.KERNEL32 ref: 0043383C
                                                        • WaitForSingleObject.KERNEL32(?,000000FF), ref: 00433879
                                                        • GetExitCodeProcess.KERNEL32(?,?), ref: 00433886
                                                        • CloseHandle.KERNEL32(?), ref: 00433892
                                                        • CloseHandle.KERNEL32(?), ref: 004338A2
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: CloseHandleProcess$CodeCreateErrorExitLastObjectSingleWait
                                                        • String ID:
                                                        • API String ID: 157478886-0
                                                        • Opcode ID: 24b2e2530142fa078def532d3388a3737f863197cc93b10aa4f15231f55f922a
                                                        • Instruction ID: de670dc6545d7478e9454ac259045b29039e942f48e8413195660145d0f99594
                                                        • Opcode Fuzzy Hash: 24b2e2530142fa078def532d3388a3737f863197cc93b10aa4f15231f55f922a
                                                        • Instruction Fuzzy Hash: 075126B1904208AFDF22DFA8D8808EDBBB5FF0A315F10916BF411AB261D7359E41CB55
                                                        Function 004334AC Relevance: 9.2, APIs: 6, Instructions: 168COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetStringTypeW.KERNEL32(00000001,0044D18C,00000001,?,0044EB90,00000024,00430BA7,00000001,00000100,00000001,?,?,?,?,?,00426A9F), ref: 004334D0
                                                        • GetLastError.KERNEL32(?,?,00426A9F,?,00000100,00000001), ref: 004334E2
                                                        • GetStringTypeW.KERNEL32(?,00000100,?,?,0044EB90,00000024,00430BA7,00000001,00000100,00000001,?,?,?,?,?,00426A9F), ref: 0043350C
                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000100,?,00000000,00000000,00000000,00000000,0044EB90,00000024,00430BA7,00000001,00000100,00000001,?,?), ref: 00433564
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000100,00000000,?,00000000,00000000,00000000), ref: 004335E7
                                                        • GetStringTypeA.KERNEL32(?,?,?,00000000,?), ref: 00433679
                                                          • Part of subcall function 00427CAC: __lock.LIBCMT ref: 00427CF0
                                                          • Part of subcall function 00427CAC: HeapAlloc.KERNEL32(00000008,?,0044CCF0,00000010,0042AF46,00000001,0000008C,?,00423F79,00000004,0044C938,0000000C,00423FDD,000000E0,00424008,?), ref: 00427D2E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: StringType$ByteCharMultiWide$AllocErrorHeapLast__lock
                                                        • String ID:
                                                        • API String ID: 892864237-0
                                                        • Opcode ID: 41b094fe7ede587f8373936e6811044ce6034eab3902943bc4cb143160f58925
                                                        • Instruction ID: cbc897700df3d1e1983acaea7c157d6e20f4ecd83cab76d3576f3f0168d9f9c2
                                                        • Opcode Fuzzy Hash: 41b094fe7ede587f8373936e6811044ce6034eab3902943bc4cb143160f58925
                                                        • Instruction Fuzzy Hash: 26515E71901219EFCF219FA5EC468AF7BB4FF09765F20552BF810A2260D3389A51CF99
                                                        Function 0042C3B0 Relevance: 9.1, APIs: 6, Instructions: 145COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetStringTypeW.KERNEL32(00000001,0044D18C,00000001,?,0044D190,0000001C,0042CD7C,00000001,?,00000001,?,?,?,00000001), ref: 0042C3D4
                                                        • GetLastError.KERNEL32(?,?,0042C39D,?,?,00000008,?,?,00424C62,?,?,?,?,00402BBF), ref: 0042C3E6
                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0044D190,0000001C,0042CD7C,00000001,?,00000001,?,?,?,00000001), ref: 0042C448
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,?,00000000,?,00000000), ref: 0042C4C6
                                                        • GetStringTypeW.KERNEL32(?,?,00000000,?,?,00000000), ref: 0042C4D8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiStringTypeWide$ErrorLast
                                                        • String ID:
                                                        • API String ID: 3581945363-0
                                                        • Opcode ID: 690c7f7e2a6415bf22f53cae1791a707fe08a0ab16c1c026983f3b201c6f3da1
                                                        • Instruction ID: 88f62cd8e99c40129225232f1d9a33b4d453174d8dbd23392fe9350ab2a232bf
                                                        • Opcode Fuzzy Hash: 690c7f7e2a6415bf22f53cae1791a707fe08a0ab16c1c026983f3b201c6f3da1
                                                        • Instruction Fuzzy Hash: 48410471A00234ABCB229F50EC85AEF3B74FF49B54F60451AF800A7250D738DD91CB98
                                                        Function 0043EA5F Relevance: 9.1, APIs: 6, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowLongA.USER32(?,000000F0), ref: 0043EA91
                                                        • GetParent.USER32(?), ref: 0043EA9F
                                                        • GetParent.USER32(?), ref: 0043EAB2
                                                        • GetLastActivePopup.USER32(?), ref: 0043EAC1
                                                        • IsWindowEnabled.USER32(?), ref: 0043EAD6
                                                        • EnableWindow.USER32(?,00000000), ref: 0043EAE9
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
                                                        • String ID:
                                                        • API String ID: 670545878-0
                                                        • Opcode ID: da300db30e8049e3ec1625432519c923677dbe9daae775b9aee8c1666cefe3f9
                                                        • Instruction ID: b535a82bad788ac16eb99c34fc1ef6d385c7c7cd006b6a644f81288a5402ee46
                                                        • Opcode Fuzzy Hash: da300db30e8049e3ec1625432519c923677dbe9daae775b9aee8c1666cefe3f9
                                                        • Instruction Fuzzy Hash: 451191326073316796317BAB9C4472BA6987F6EB61F161126EC04E3384DB68CC02469E
                                                        Function 0041AF60 Relevance: 9.0, APIs: 6, Instructions: 45timefileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileA.KERNEL32(?,C0000000,00000000,00000000,00000003,00000000,00000000), ref: 0041AF78
                                                        • GetFileTime.KERNEL32(00000000,?,?,?), ref: 0041AF90
                                                        • DosDateTimeToFileTime.KERNEL32(?,?,?), ref: 0041AFA4
                                                        • LocalFileTimeToFileTime.KERNEL32(?,?), ref: 0041AFB4
                                                        • SetFileTime.KERNEL32(00000000,?,?,?), ref: 0041AFC8
                                                        • CloseHandle.KERNEL32(00000000), ref: 0041AFCF
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: FileTime$CloseCreateDateHandleLocal
                                                        • String ID:
                                                        • API String ID: 3223929235-0
                                                        • Opcode ID: 289a22b9c0c4734f6dc7b2019d8550f4d5a2ef4f98a2c5b37f485c35ec0a9aa1
                                                        • Instruction ID: 3d40798e3b81d1430aab252964cec3372e3fcf11f7589a68c7364f8788f44102
                                                        • Opcode Fuzzy Hash: 289a22b9c0c4734f6dc7b2019d8550f4d5a2ef4f98a2c5b37f485c35ec0a9aa1
                                                        • Instruction Fuzzy Hash: 3F014F76204302BFD704EF64DD49F9B77ACFF8A704F008918F645D6090E6B0A6098BAA
                                                        Function 004191B0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 163COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetCurrentDirectoryA.KERNEL32(?,?,?), ref: 00419247
                                                        • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00419257
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectory
                                                        • String ID: %s\Support\$%s\filelist.txt$Cleanup
                                                        • API String ID: 1611563598-1950755567
                                                        • Opcode ID: 2c456c348fde11747d608d2ea80d286fe4dd44da29926acf51429a59492c6231
                                                        • Instruction ID: bed570faa51ef1bb4b8ee522f0adb72f7e314e0fe85be6cbe2c67c94b7ad8b4a
                                                        • Opcode Fuzzy Hash: 2c456c348fde11747d608d2ea80d286fe4dd44da29926acf51429a59492c6231
                                                        • Instruction Fuzzy Hash: 74512570304704ABD310EF658851BEFB7E5AFC9B08F40490EF54957282DF38A9498BAE
                                                        Function 00428EE1 Relevance: 8.9, APIs: 1, Strings: 4, Instructions: 121COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Info
                                                        • String ID: ` H$` H$p!H$p!H
                                                        • API String ID: 1807457897-1693277582
                                                        • Opcode ID: 6b7f1a3a29787fd6d3fcbde24ded1e01440604c6ebf467147e9a9835cc35d3ab
                                                        • Instruction ID: 15a8d828c589c234a774bdbeed3bf4099ef4f6872077403afb4bd864aec4305d
                                                        • Opcode Fuzzy Hash: 6b7f1a3a29787fd6d3fcbde24ded1e01440604c6ebf467147e9a9835cc35d3ab
                                                        • Instruction Fuzzy Hash: 34411730B052B58EE714CF24FA8427EBBA2AB06304FA9486FD645D7352CB7D494AC74C
                                                        Function 0043BE10 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 115stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: GlobalLocklstrlen
                                                        • String ID: System
                                                        • API String ID: 1144527523-3470857405
                                                        • Opcode ID: cf0ec0ccca7ebb9e06f2bad1568c3fb91d6ddb1b9ca79714ce062c2dd4892274
                                                        • Instruction ID: eea6c33846d3fd7b44d8b3261e131be6795de2e39f67e8c264ccda5b0592d447
                                                        • Opcode Fuzzy Hash: cf0ec0ccca7ebb9e06f2bad1568c3fb91d6ddb1b9ca79714ce062c2dd4892274
                                                        • Instruction Fuzzy Hash: B441DE32900219EFCB10DFB9C88699EBBB8FF08314F10922AE916D7241DB389945CF94
                                                        Function 00426D10 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 61COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0042407C: VirtualQuery.KERNEL32(?,?,0000001C), ref: 00424096
                                                          • Part of subcall function 0042407C: GetSystemInfo.KERNEL32(?,?,?,0000001C), ref: 004240A7
                                                          • Part of subcall function 0042407C: VirtualQuery.KERNEL32(?,?,0000001C,?,?,0000001C), ref: 004240ED
                                                        • GetCurrentDirectoryA.KERNEL32(00000001), ref: 00426D49
                                                        • SetEnvironmentVariableA.KERNEL32(0000003D,?), ref: 00426D90
                                                        • GetLastError.KERNEL32 ref: 00426DA0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: QueryVirtual$CurrentDirectoryEnvironmentErrorInfoLastSystemVariable
                                                        • String ID: :$=
                                                        • API String ID: 209584734-2134709475
                                                        • Opcode ID: 7837df4854f14fedd5cad5387f30d956a8220b4b58952e3805e09611b5b97e4a
                                                        • Instruction ID: a6265404f4273ac2f1c7f86b0694fd07e9fa6f724056c34767095232113bf715
                                                        • Opcode Fuzzy Hash: 7837df4854f14fedd5cad5387f30d956a8220b4b58952e3805e09611b5b97e4a
                                                        • Instruction Fuzzy Hash: D311C331A042B98BCF31AF78A8442DEBB745B4A314F8501DFE59453241CA385E92CF59
                                                        Function 00416C60 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentDirectoryA.KERNEL32(00000104,?), ref: 00416C83
                                                        • SetCurrentDirectoryA.KERNEL32(?), ref: 00416C93
                                                        • SetCurrentDirectoryA.KERNEL32(?), ref: 00416CF4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectory
                                                        • String ID: DEBUG$DirectX Reports Reboot Required
                                                        • API String ID: 1611563598-3080797097
                                                        • Opcode ID: b2194924fa359db824beff28826ac9d5e50a418adaf161a9184b89560ac98817
                                                        • Instruction ID: b7ca4d720214f3a145d37d4fa28bcfc633ca5049e0a52a545d8ad53e3cccdc6a
                                                        • Opcode Fuzzy Hash: b2194924fa359db824beff28826ac9d5e50a418adaf161a9184b89560ac98817
                                                        • Instruction Fuzzy Hash: 6C110C713803415BD3205728DC41BE77794DB56715F06041BF9D5572C1DABAD4C4C2BA
                                                        Function 004248C5 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 13libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(mscoree.dll), ref: 004248CA
                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 004248DA
                                                        • ExitProcess.KERNEL32 ref: 004248EE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: AddressExitHandleModuleProcProcess
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 75539706-1276376045
                                                        • Opcode ID: 6b24fa057879b27e84c07b851d12f55b6a5d25cb9880573ffe5691b15abb3787
                                                        • Instruction ID: 1eadc9780b94b6718706bd16444dc68ece41e54e59adc106cdd0224a4c3c19fa
                                                        • Opcode Fuzzy Hash: 6b24fa057879b27e84c07b851d12f55b6a5d25cb9880573ffe5691b15abb3787
                                                        • Instruction Fuzzy Hash: DAD0C778351341BBD7103F70DD5AE2A7654EF42F0670504357805D0061CB38C900ED2A
                                                        Function 0042A412 Relevance: 7.7, APIs: 5, Instructions: 184COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • VirtualQuery.KERNEL32(?,?,0000001C,?,?,?,?,?,00424291,?), ref: 0042A4C5
                                                        • InterlockedExchange.KERNEL32(00480B80,00000001), ref: 0042A543
                                                        • InterlockedExchange.KERNEL32(00480B80,00000000), ref: 0042A5A8
                                                        • InterlockedExchange.KERNEL32(00480B80,00000001), ref: 0042A5CC
                                                        • InterlockedExchange.KERNEL32(00480B80,00000000), ref: 0042A62C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ExchangeInterlocked$QueryVirtual
                                                        • String ID:
                                                        • API String ID: 2947987494-0
                                                        • Opcode ID: 0297ce39435e4b8cf295999e0ec9787d67faa8cead9ee7d4ded0a95dc7049a43
                                                        • Instruction ID: dd5010c10e1d9b9ba543a85cf015812fd413b34cf2729769e49068ff06a4fc39
                                                        • Opcode Fuzzy Hash: 0297ce39435e4b8cf295999e0ec9787d67faa8cead9ee7d4ded0a95dc7049a43
                                                        • Instruction Fuzzy Hash: FE5107307106219FCB248B58E98472B73A0EB91758FA9856BDC4187291D378EC96874F
                                                        Function 0042D4F6 Relevance: 7.7, APIs: 5, Instructions: 172COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetStartupInfoA.KERNEL32(?), ref: 0042D553
                                                        • GetFileType.KERNEL32(?), ref: 0042D5FD
                                                        • GetStdHandle.KERNEL32(-000000F6), ref: 0042D67E
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: FileHandleInfoStartupType
                                                        • String ID:
                                                        • API String ID: 2461013171-0
                                                        • Opcode ID: 0b4af883c50a95dcf51d24fd18dda45df69003270a224a9e762e8201fdac76db
                                                        • Instruction ID: 44458137fe5f849726c5f7ea3ed5670e5a8521186f189f810873b1cd4ff4ad7e
                                                        • Opcode Fuzzy Hash: 0b4af883c50a95dcf51d24fd18dda45df69003270a224a9e762e8201fdac76db
                                                        • Instruction Fuzzy Hash: BA51C571A043118FD720CF28E84476B77E4FB16328F558A2ED5AAC72E1DB78D849C719
                                                        Function 0042EF95 Relevance: 7.7, APIs: 5, Instructions: 169COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WideCharToMultiByte.KERNEL32(?,00000000,?,00000001,?,00000000,?), ref: 0042F0C8
                                                        • WideCharToMultiByte.KERNEL32(?,00000000,?,000000FF,00000000,00000000,00000000,?,00000000), ref: 0042F129
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide
                                                        • String ID:
                                                        • API String ID: 626452242-0
                                                        • Opcode ID: 1b18a38131ce7fce63ae30e6e84db181954860e2b4c12b5ea27fecefa44c3926
                                                        • Instruction ID: 9f89b8dcf7f770c9608733cc378f38016b5008aa602b2969820ed4e513d82528
                                                        • Opcode Fuzzy Hash: 1b18a38131ce7fce63ae30e6e84db181954860e2b4c12b5ea27fecefa44c3926
                                                        • Instruction Fuzzy Hash: 9E51BE71A0016AAF8F20DF64EC808BFB7B9FB45304BD5853FEA1183252D7359D498B59
                                                        Function 00428338 Relevance: 7.6, APIs: 5, Instructions: 150COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 118dc5757c2c4c7984d9873d44fd404751a60e15956d8b869370170dd54cf642
                                                        • Instruction ID: caa39dc95d6f33b0c3bcdbfead75a80356606b39845c86f44a5aa7fea5f7728a
                                                        • Opcode Fuzzy Hash: 118dc5757c2c4c7984d9873d44fd404751a60e15956d8b869370170dd54cf642
                                                        • Instruction Fuzzy Hash: FB41E3B1E021769B8F20BF65BC844AF7A74EA02728790412FF914A6251EB3C4D40CB9D
                                                        Function 00415000 Relevance: 7.6, APIs: 6, Instructions: 138sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetLastError.KERNEL32 ref: 00415021
                                                          • Part of subcall function 00414F30: FindFirstFileA.KERNEL32(?,?,?,?), ref: 00414F47
                                                          • Part of subcall function 00414F30: FindClose.KERNEL32(00000000), ref: 00414F81
                                                        • SetLastError.KERNEL32(00000002,?,?,?,00000001), ref: 0041504B
                                                        • SetLastError.KERNEL32(00000005), ref: 0041508C
                                                        • Sleep.KERNEL32(00000001), ref: 00415124
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$Find$CloseFileFirstSleep
                                                        • String ID:
                                                        • API String ID: 1934500226-0
                                                        • Opcode ID: e6b62eaeb095e084dcdde112aad474c2f1df312f47c2989c3ca51f5dca466904
                                                        • Instruction ID: 2fca2705454d7dd58154ba04993cc9775b04a32fe64a4f43b8d4991ee8eab8d9
                                                        • Opcode Fuzzy Hash: e6b62eaeb095e084dcdde112aad474c2f1df312f47c2989c3ca51f5dca466904
                                                        • Instruction Fuzzy Hash: EA41E771604304BFD314AF959C45BABB7D8EBC9709F00052EFE4992281E7F999448AAB
                                                        Function 0042EE6F Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 99COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(?,00000009,V^B,000000FF,00000000,00000000,00000000,00000000,?,?,?,0042EF91,?,00000000,00000000,00000000), ref: 0042EED4
                                                        • GetLastError.KERNEL32(?,?,?,0042EF91,?,00000000,00000000,00000000,00425E56,00000000,00000000,00000000), ref: 0042EEDE
                                                        • MultiByteToWideChar.KERNEL32(?,00000001,V^B,V^B,00000000,00000000,?,?,?,0042EF91,?,00000000,00000000,00000000,00425E56,00000000), ref: 0042EF33
                                                        • MultiByteToWideChar.KERNEL32(?,00000009,V^B,000000FF,00000000,00000000,00000000,00000000,?,?,?,0042EF91,?,00000000,00000000,00000000), ref: 0042EF5A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$ErrorLast
                                                        • String ID: V^B
                                                        • API String ID: 1717984340-731569014
                                                        • Opcode ID: 8cb481713cc4cd55ac97c91bae78a6b5e8eb1afb9d0bac2b8ca7cde3352df9ed
                                                        • Instruction ID: 43b45739b5ed72f5805475e1443a07ab786b8dc6a3ef61d40b9e5f9b077d0ce1
                                                        • Opcode Fuzzy Hash: 8cb481713cc4cd55ac97c91bae78a6b5e8eb1afb9d0bac2b8ca7cde3352df9ed
                                                        • Instruction Fuzzy Hash: F8313830300239FFCB118F26EE80A6B7BA5FF06760FA64556F520962A0C3368C50C7A9
                                                        Function 0042686A Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 103COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __lock.LIBCMT ref: 0042688E
                                                          • Part of subcall function 00429838: EnterCriticalSection.KERNEL32(?,?,?,00423F79,00000004,0044C938,0000000C,00423FDD,000000E0,00424008,?,004369E6,?,?,?,00443BF8), ref: 00429860
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: CriticalEnterSection__lock
                                                        • String ID: @bE$@bE$LmE
                                                        • API String ID: 238394327-2432022147
                                                        • Opcode ID: a7362febf858d49887ac4fd0a0a794e3c4a9f89c7bf4e2645289f9b2683df8dd
                                                        • Instruction ID: e40cd25d26dbb6555db724202a02cf2ae53cf0c6892a069b9dabf880c229dd93
                                                        • Opcode Fuzzy Hash: a7362febf858d49887ac4fd0a0a794e3c4a9f89c7bf4e2645289f9b2683df8dd
                                                        • Instruction Fuzzy Hash: A541FBB1B117218FC7A0DF69E88065EB7F0BB08314792492FE959D7751DB78A881CF09
                                                        Function 0040F740 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,?,00000104,English US,0040D888,?,?,?,English US,?,?), ref: 0040F763
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,?,000000FF,?,00000104,00000000,00000000), ref: 0040F818
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ByteCharMultiWide
                                                        • String ID: $English US
                                                        • API String ID: 626452242-1297288445
                                                        • Opcode ID: 84796c686fa8f72b5e6dfbd94a193fb8d16dbb584841e412bd2790552e76208a
                                                        • Instruction ID: df888b1d167fcae8043a8df2e68d74cec1358aa0cf7ec91854029ad9e172171b
                                                        • Opcode Fuzzy Hash: 84796c686fa8f72b5e6dfbd94a193fb8d16dbb584841e412bd2790552e76208a
                                                        • Instruction Fuzzy Hash: C0216BB610435166E330A724DC42BEB72F4EBC4751F10853EF6D69A1D0E7785449C39B
                                                        Function 004164D0 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 65registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00413B40: LoadLibraryA.KERNEL32 ref: 00413B5A
                                                          • Part of subcall function 00413B40: GetProcAddress.KERNEL32(00000000,SHGetSpecialFolderPathA), ref: 00413B6A
                                                          • Part of subcall function 00413B40: GetSystemDirectoryA.KERNEL32(0045DAF8,00000104), ref: 00413B95
                                                          • Part of subcall function 00413B40: GetWindowsDirectoryA.KERNEL32(0045DD08,00000104), ref: 00413BA5
                                                          • Part of subcall function 00413B40: GetTempPathA.KERNEL32(00000104,0045DE10), ref: 00413BB5
                                                        • RegOpenKeyExA.ADVAPI32 ref: 0041653A
                                                        • RegQueryValueExA.ADVAPI32(?,Version,00000000,00000000,?,00000100), ref: 00416562
                                                        Strings
                                                        • SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11cf-96B8-444553540000}, xrefs: 00416525
                                                        • Version, xrefs: 00416554
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Directory$AddressLibraryLoadOpenPathProcQuerySystemTempValueWindows
                                                        • String ID: SOFTWARE\Microsoft\Active Setup\Installed Components\{D27CDB6E-AE6D-11cf-96B8-444553540000}$Version
                                                        • API String ID: 3927907489-1332029265
                                                        • Opcode ID: d9f56fd40e30ecb5e1596c907922c1d4d35bc9335104a75081f7ea7e0cd4cf44
                                                        • Instruction ID: 2c3280e8fd186b36745d7fe58343f886ef13101444831185cebde92ec6972ae0
                                                        • Opcode Fuzzy Hash: d9f56fd40e30ecb5e1596c907922c1d4d35bc9335104a75081f7ea7e0cd4cf44
                                                        • Instruction Fuzzy Hash: 5E21F371148341AFD314CF14C851BEBB7E8FB99744F104A1DF5A9832D0EB78A548CB56
                                                        Function 00414E67 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindNextFileA.KERNEL32(00000000,?,?,?,?,?), ref: 00414EF1
                                                        • FindClose.KERNEL32(00000000,?,?,?,?), ref: 00414F00
                                                        • RemoveDirectoryA.KERNEL32(0000005C,?,?,?,?), ref: 00414F0E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Find$CloseDirectoryFileNextRemove
                                                        • String ID: \*.*
                                                        • API String ID: 2004183241-1173974218
                                                        • Opcode ID: 7d77ebabf8b038d0762241d7aed19f5cf8aa592c40cc2086fb905cf2da51a2b4
                                                        • Instruction ID: 9c89db226a464595a1456a08dba5ac67963ce04dc153f15b353361ca2e9a56d0
                                                        • Opcode Fuzzy Hash: 7d77ebabf8b038d0762241d7aed19f5cf8aa592c40cc2086fb905cf2da51a2b4
                                                        • Instruction Fuzzy Hash: F711EB751087828BC721CB28A8547EBFBD9FFD6306F144929EDC587301DB35A889C755
                                                        Function 00416B50 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 56windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32 ref: 00416B9A
                                                        • FormatMessageA.KERNEL32(00001300,00000000,00000000,00000400,?,00000000,00000000), ref: 00416BB6
                                                        • MessageBoxA.USER32(00000000,?,DirectX Error,00000000), ref: 00416BCC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Message$ErrorFormatLast
                                                        • String ID: DirectX Error
                                                        • API String ID: 3971115935-1449601957
                                                        • Opcode ID: e42ac2ce9476a126deb7f06afa875e21e8b1d8dd5084b04630a3d7ee1d926943
                                                        • Instruction ID: 00734949432f92e12728b15547f2c9266f1449dcf60645d6a7a156eb7abf3a75
                                                        • Opcode Fuzzy Hash: e42ac2ce9476a126deb7f06afa875e21e8b1d8dd5084b04630a3d7ee1d926943
                                                        • Instruction Fuzzy Hash: 9F018071304310ABE710DFA59C49F6B77ACEF86B15F11852DFA00CA280D674E8008669
                                                        Function 0042C2D4 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 37libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(KERNEL32,00424B26), ref: 0042C2D9
                                                        • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0042C2E9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: IsProcessorFeaturePresent$KERNEL32
                                                        • API String ID: 1646373207-3105848591
                                                        • Opcode ID: 02faec45ebebc9ea8088bb5ac7c7d7aefd1fe9434e9aaf4371285750a670add2
                                                        • Instruction ID: 3010c939291e915eff1eb01b3b571670853061f70a44e764dbecd71da3a81d10
                                                        • Opcode Fuzzy Hash: 02faec45ebebc9ea8088bb5ac7c7d7aefd1fe9434e9aaf4371285750a670add2
                                                        • Instruction Fuzzy Hash: C2F01D30F40A1DD2DB001BE0BD4A26FBB78BB92746F9105E1D891A0094DF7884B4C25E
                                                        Function 004317FE Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 29libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(kernel32.dll,0044EAE0,00000010,004297E9,00000000,00000FA0,0044CDF0,00000008,00429851,?,?,?,00423F79,00000004,0044C938,0000000C), ref: 00431821
                                                        • GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionAndSpinCount), ref: 00431831
                                                        Strings
                                                        • InitializeCriticalSectionAndSpinCount, xrefs: 0043182B
                                                        • kernel32.dll, xrefs: 0043181C
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: InitializeCriticalSectionAndSpinCount$kernel32.dll
                                                        • API String ID: 1646373207-3733552308
                                                        • Opcode ID: 7e93898ae70dbf0739adb7c3265fadd24f6ff0e0cb512f9bb8f0251e16c97f3e
                                                        • Instruction ID: 4a45933a82aeb79599459cbe0f8cef8bbb669c532bc06b3cb3151a140fe0d406
                                                        • Opcode Fuzzy Hash: 7e93898ae70dbf0739adb7c3265fadd24f6ff0e0cb512f9bb8f0251e16c97f3e
                                                        • Instruction Fuzzy Hash: 32F09A70640306AADB54AFA69C0679E3AA0BB08349F20983EE411E52B0DFBCC5108B1D
                                                        Function 004015E1 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 150sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 00408060: VirtualProtect.KERNELBASE(?,?,00000040,?,?,004080DE,?,00000001,00000000,00000001,00000000,?,?), ref: 00408197
                                                          • Part of subcall function 0042400B: __lock.LIBCMT ref: 00424029
                                                          • Part of subcall function 0042400B: HeapFree.KERNEL32(00000000,?,0044C948,0000000C,0042981C,00000000,0044CDF0,00000008,00429851,?,?,?,00423F79,00000004,0044C938,0000000C), ref: 00424070
                                                        • Sleep.KERNEL32(00000001), ref: 004016EA
                                                        • Sleep.KERNEL32(00000001), ref: 004017C4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Sleep$FreeHeapProtectVirtual__lock
                                                        • String ID: DXInstalled = %d$InstallDirectXIfRequired
                                                        • API String ID: 715370876-4124889539
                                                        • Opcode ID: bdc4443d0d3ec1e238e24dd1fd3f35842bfbf80ed1653aedad27dd03790dd8a6
                                                        • Instruction ID: 364755a666ca341e749ee64d0003a40c6949535c43a42a4e9d33c4ab1bb0a936
                                                        • Opcode Fuzzy Hash: bdc4443d0d3ec1e238e24dd1fd3f35842bfbf80ed1653aedad27dd03790dd8a6
                                                        • Instruction Fuzzy Hash: E851C4716487006BD300EB94FC42FAB3BA9AB85706F04847EFD44A72D3DA79D5048B6E
                                                        Function 0042C814 Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,00000001), ref: 0042C8FC
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: FileWrite
                                                        • String ID:
                                                        • API String ID: 3934441357-0
                                                        • Opcode ID: 72ef37e3f52f69ed0ec66c4e8790f2510e5f96e623d6d1493fedeb9f51a5ca00
                                                        • Instruction ID: 8280d1e270eca7936ff5276bf182434933e20333d3727ff594148b0d188492fc
                                                        • Opcode Fuzzy Hash: 72ef37e3f52f69ed0ec66c4e8790f2510e5f96e623d6d1493fedeb9f51a5ca00
                                                        • Instruction Fuzzy Hash: 48517FB1A04268DFDB22DFA9EC80BEDBBB8FF46304F50411AE8559B252DB345A41CF15
                                                        Function 004286E3 Relevance: 6.1, APIs: 4, Instructions: 113COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __lock.LIBCMT ref: 00428705
                                                          • Part of subcall function 00429838: EnterCriticalSection.KERNEL32(?,?,?,00423F79,00000004,0044C938,0000000C,00423FDD,000000E0,00424008,?,004369E6,?,?,?,00443BF8), ref: 00429860
                                                        • __lock.LIBCMT ref: 00428751
                                                        • EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,0044CD58,00000014), ref: 0042879B
                                                        • LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,0044CD58,00000014), ref: 004287A8
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$Enter__lock$Leave
                                                        • String ID:
                                                        • API String ID: 885841014-0
                                                        • Opcode ID: a01da40aeaf7a3bb659276398149747342c523524fdf739e22d43d76ee2309d8
                                                        • Instruction ID: b3503f7208acb3f95ac1f212b98e40c77cfa49c85add1a9a95d8a4e58ead19da
                                                        • Opcode Fuzzy Hash: a01da40aeaf7a3bb659276398149747342c523524fdf739e22d43d76ee2309d8
                                                        • Instruction Fuzzy Hash: 98411771A023228AD710AF65EC4576E7BA0AF41324FA4862FD121962D1DF7C9541CB1C
                                                        Function 00417360 Relevance: 6.0, APIs: 4, Instructions: 42registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExA.ADVAPI32(80000002,?,00000000,000F003F,?,?,?), ref: 00417386
                                                        • RegEnumKeyExA.ADVAPI32 ref: 004173B1
                                                        • RegDeleteKeyA.ADVAPI32(80000002,?), ref: 004173C1
                                                        • RegCloseKey.ADVAPI32(00000000), ref: 004173CE
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: CloseDeleteEnumOpen
                                                        • String ID:
                                                        • API String ID: 4142876296-0
                                                        • Opcode ID: e88a5e974ed7bd7e7be99ffb565bc9357ecc90e66e98b9816a88c69fb15ff6d6
                                                        • Instruction ID: 816ecf25c106d77b39d132cd8e82fa92df93f4f8198aa37a08063b162ff1abf5
                                                        • Opcode Fuzzy Hash: e88a5e974ed7bd7e7be99ffb565bc9357ecc90e66e98b9816a88c69fb15ff6d6
                                                        • Instruction Fuzzy Hash: EA016DB6204201AFE320CB54DC49FEBB7ACEB89B04F00852DBA95D2151D6749804CBA6
                                                        Function 00433DA0 Relevance: 6.0, APIs: 4, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ___addl
                                                        • String ID:
                                                        • API String ID: 2260456530-0
                                                        • Opcode ID: a6d3fea94caffdbfbeec600a8d228e4f9831f0a4e76ee5ff08ec74ce47c2ef23
                                                        • Instruction ID: 9a3622a891a97d8ac40710fbd079e3f9d72052691bd83aec0a43e73614e04fb6
                                                        • Opcode Fuzzy Hash: a6d3fea94caffdbfbeec600a8d228e4f9831f0a4e76ee5ff08ec74ce47c2ef23
                                                        • Instruction Fuzzy Hash: CAF0F032400606BFCB225F02DC01EA3B7EDFF19301F04142AFD698A131E722EA69CB51
                                                        Function 0040F2B0 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 148COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetUserDefaultLangID.KERNEL32 ref: 0040F3C8
                                                        Strings
                                                        • Corrupted AutoRun.CFG File, xrefs: 0040F3B0
                                                        • No Languages Selected!, xrefs: 0040F3B5
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: DefaultLangUser
                                                        • String ID: Corrupted AutoRun.CFG File$No Languages Selected!
                                                        • API String ID: 768647712-574851024
                                                        • Opcode ID: b48b37e0b07fbce12f1c0a3e534b8fc3136cb4958c1649e12970e9021f99694f
                                                        • Instruction ID: 23ffeb2b8fd0b84d770583d34ecafe914bb1a535fe8fd0ce1a921318584533b3
                                                        • Opcode Fuzzy Hash: b48b37e0b07fbce12f1c0a3e534b8fc3136cb4958c1649e12970e9021f99694f
                                                        • Instruction Fuzzy Hash: 025126329047624BC736CB3C84442A7FB91AF96314F0986BBDC94AB792C334AD4EC784
                                                        Function 00411740 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 121COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetCurrentDirectoryA.KERNEL32(?,?,00446A11,00000001,?,?,?,?,?,?,?,?,?,?,?), ref: 004118EB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectory
                                                        • String ID: %c:\$common_filelist.txt
                                                        • API String ID: 1611563598-3546436211
                                                        • Opcode ID: 11c9fceab815c0a4c1620af3657593bcea19cb5400ae6f0df06cb1a1ff1195ee
                                                        • Instruction ID: 432a507af7a2f7447a54504d14b6aa96a09a11f24d7700c12249833adb4ed6a1
                                                        • Opcode Fuzzy Hash: 11c9fceab815c0a4c1620af3657593bcea19cb5400ae6f0df06cb1a1ff1195ee
                                                        • Instruction Fuzzy Hash: 304129B15043446AD320EBA19C41FFB77A89F85704F04481FFA44561C2EBBCEA49CB7A
                                                        Function 00411757 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 114COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetCurrentDirectoryA.KERNEL32(?,?,00446A11,00000001,?,?,?,?,?,?,?,?,?,?,?), ref: 004118EB
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: CurrentDirectory
                                                        • String ID: %c:\$common_filelist.txt
                                                        • API String ID: 1611563598-3546436211
                                                        • Opcode ID: a8fce332415b4cfbaa84a20ba7fc0517953bdb2584c165b0b545ae919b08df47
                                                        • Instruction ID: 6025519ab524a28bed39fbe42f5c2c1978188ea60c5d789c7bac0d9d67ab69ce
                                                        • Opcode Fuzzy Hash: a8fce332415b4cfbaa84a20ba7fc0517953bdb2584c165b0b545ae919b08df47
                                                        • Instruction Fuzzy Hash: A6412BB15043446AD320EBA09C41FEB77989F85705F44481FFB44562C2FBBCE645CB6A
                                                        Function 0042AF8F Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 109COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __lock.LIBCMT ref: 0042B00F
                                                        • __lock.LIBCMT ref: 0042B040
                                                          • Part of subcall function 0042400B: __lock.LIBCMT ref: 00424029
                                                          • Part of subcall function 0042400B: HeapFree.KERNEL32(00000000,?,0044C948,0000000C,0042981C,00000000,0044CDF0,00000008,00429851,?,?,?,00423F79,00000004,0044C938,0000000C), ref: 00424070
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: __lock$FreeHeap
                                                        • String ID: @bE
                                                        • API String ID: 743385489-3735480552
                                                        • Opcode ID: e9b2ec0dc0123e412d69c5196f3f427e9980556b1049e712b9c385e69edacffc
                                                        • Instruction ID: 731fc6a72e954c2201cc3ad4f1ba7e74df98332f7485061ff758e95a60e6a6fe
                                                        • Opcode Fuzzy Hash: e9b2ec0dc0123e412d69c5196f3f427e9980556b1049e712b9c385e69edacffc
                                                        • Instruction Fuzzy Hash: D73191717006209BC626AB69F54591FB3B5EF44718BE9094FE510DB292DB3EEC80CA5C
                                                        Function 0042B4E2 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 105COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: __getbuf
                                                        • String ID: hE$@hE
                                                        • API String ID: 554500569-3527237109
                                                        • Opcode ID: 2d09c157eed4a3bd63498b0e5f70137e9fd5757940b0b5303955637cf367db83
                                                        • Instruction ID: f17e0a6b82f98ebd52715b5456d606124dd6aad15095f93feb889772c3e2a4ef
                                                        • Opcode Fuzzy Hash: 2d09c157eed4a3bd63498b0e5f70137e9fd5757940b0b5303955637cf367db83
                                                        • Instruction Fuzzy Hash: 3731A271600710AFC7308F19D841B6677A4EF51329F54C92FE8AA8B291D73CE984CB88
                                                        Function 00438450 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetClassInfoA.USER32(?,-0000007C,?), ref: 004384AF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ClassInfo
                                                        • String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
                                                        • API String ID: 3534257612-2801496823
                                                        • Opcode ID: dbe3cc86fff193af0684558f81ef42c515353e085cb2aed473aa4667f0f1f147
                                                        • Instruction ID: b8301b33258d6b108bdec7fe8fd4c628fef138bfb49540b2024fb64cfbea2f2c
                                                        • Opcode Fuzzy Hash: dbe3cc86fff193af0684558f81ef42c515353e085cb2aed473aa4667f0f1f147
                                                        • Instruction Fuzzy Hash: 2721307190020AAF9B10EFA5D8419DFBBB8EE59354F00402FF904E3201E7789951CBA9
                                                        Function 0042885F Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 60COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetFileType.KERNEL32(?,?,?,0044CD70,00000010), ref: 0042888B
                                                        • GetLastError.KERNEL32(?,?,0044CD70,00000010), ref: 00428895
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ErrorFileLastType
                                                        • String ID: @
                                                        • API String ID: 1621975986-2766056989
                                                        • Opcode ID: d13db3f2b38b0cbd7ee7101039cb7977fce53aa96652a0571b1022465f3c0505
                                                        • Instruction ID: 9fa63de9de4804d11020a97d9c36dddd01b917bd1e54f2f62cb2b06b9a7854a5
                                                        • Opcode Fuzzy Hash: d13db3f2b38b0cbd7ee7101039cb7977fce53aa96652a0571b1022465f3c0505
                                                        • Instruction Fuzzy Hash: 8211B1717472685AEF21BB35E80539D3B50AF02328FD8864EE9A0572E3DF3C56419B4E
                                                        Function 0040F5A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetLastError.KERNEL32(00000000), ref: 0040F5D8
                                                        • GetVolumeInformationA.KERNEL32 ref: 0040F608
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ErrorInformationLastVolume
                                                        • String ID: CDFS
                                                        • API String ID: 2466915109-2335696158
                                                        • Opcode ID: d5bc04d93c239e321a1a71163fded1ab8e459226446f9cf8b63d905a99bc706c
                                                        • Instruction ID: 0ba698df5349420569fcb0b07cbe6f9900faa6667f1b351f96fad5a35dfb1ad2
                                                        • Opcode Fuzzy Hash: d5bc04d93c239e321a1a71163fded1ab8e459226446f9cf8b63d905a99bc706c
                                                        • Instruction Fuzzy Hash: EC1127766042016BE711CB58DC05BD7BBE4ABD5300F04C87DF58457181EAB4994DC763
                                                        Function 00427102 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: CloseExitHandleThread
                                                        • String ID: m:B
                                                        • API String ID: 3411751092-37060516
                                                        • Opcode ID: 80a6baf8b596835e4e6d2e0790cb893599dbd790eb416e0551c22c3cf0ec0443
                                                        • Instruction ID: 38546fa7c7f44993b21125da49d9b9c894fd7afa0086638ea366401a8295a73f
                                                        • Opcode Fuzzy Hash: 80a6baf8b596835e4e6d2e0790cb893599dbd790eb416e0551c22c3cf0ec0443
                                                        • Instruction Fuzzy Hash: B4E02C30300A3017C23237B8BC09B3E6284AF02720FC5061AF864CA2C0CF6CCC0041AE
                                                        Function 0042C770 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 17COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __lock.LIBCMT ref: 0042C78D
                                                          • Part of subcall function 00429838: EnterCriticalSection.KERNEL32(?,?,?,00423F79,00000004,0044C938,0000000C,00423FDD,000000E0,00424008,?,004369E6,?,?,?,00443BF8), ref: 00429860
                                                        • EnterCriticalSection.KERNEL32(-00000020,004252A6,?,0044C9A0,0000000C,0041AE4C,00000000,?,00000001), ref: 0042C798
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: CriticalEnterSection$__lock
                                                        • String ID: `jE
                                                        • API String ID: 3410214836-775037952
                                                        • Opcode ID: 020948bbfa1e214e93c434217dc0c5e047081603cf218c95e1a180738668f8e1
                                                        • Instruction ID: e25f03711a34877e1c848d10ee6b2a6bf970461377bf0363c61bc6c07be673b1
                                                        • Opcode Fuzzy Hash: 020948bbfa1e214e93c434217dc0c5e047081603cf218c95e1a180738668f8e1
                                                        • Instruction Fuzzy Hash: 9BD022B6B0010203DF282676EEC950E3208D2823037EA8C3BF802C3282CF2CDD80840D
                                                        Function 00429C5F Relevance: 5.1, APIs: 4, Instructions: 57memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • HeapReAlloc.KERNEL32(00000000,?), ref: 00429C86
                                                        • HeapAlloc.KERNEL32(00000008,000041C4), ref: 00429CBF
                                                        • VirtualAlloc.KERNEL32(00000000,00100000,00002000,00000004), ref: 00429CDD
                                                        • HeapFree.KERNEL32(00000000,?), ref: 00429CF4
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: AllocHeap$FreeVirtual
                                                        • String ID:
                                                        • API String ID: 3499195154-0
                                                        • Opcode ID: ea70e5c13c1f21d78355e85d9dd63a5838c77a33c2fad09f6ad6cd3bd0747de8
                                                        • Instruction ID: dfb89f136970734709b6813ad249d643eab4b97aebf48e034e9fa728ed28f66c
                                                        • Opcode Fuzzy Hash: ea70e5c13c1f21d78355e85d9dd63a5838c77a33c2fad09f6ad6cd3bd0747de8
                                                        • Instruction Fuzzy Hash: 0F116D302006019FD7328F29FD45A2A7BF6FB86764B60492EF256D31B1C3B09846DF18
                                                        Function 00443834 Relevance: 5.0, APIs: 4, Instructions: 33COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • EnterCriticalSection.KERNEL32(00480774,?,00000000,?,?,00443333,00000010,?,?,?,?,?,00442F7C,00442F2F,00441F83,00442F82), ref: 00443862
                                                        • InitializeCriticalSection.KERNEL32(00000000,?,00000000,?,?,00443333,00000010,?,?,?,?,?,00442F7C,00442F2F,00441F83,00442F82), ref: 00443874
                                                        • LeaveCriticalSection.KERNEL32(00480774,?,00000000,?,?,00443333,00000010,?,?,?,?,?,00442F7C,00442F2F,00441F83,00442F82), ref: 0044387D
                                                        • EnterCriticalSection.KERNEL32(00000000,00000000,?,?,00443333,00000010,?,?,?,?,?,00442F7C,00442F2F,00441F83,00442F82,0043538D), ref: 0044388F
                                                          • Part of subcall function 004437CB: InitializeCriticalSection.KERNEL32(00480774,00443842,00443333,00000010,?,?,?,?,?,00442F7C,00442F2F,00441F83,00442F82,0043538D,?,0047EA90), ref: 004437E3
                                                        Memory Dump Source
                                                        • Source File: 00000000.00000002.1649410510.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000000.00000002.1649398416.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649438589.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649459657.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649472795.0000000000456000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649549190.0000000000457000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649568530.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649583782.0000000000487000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649597449.0000000000489000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649609560.000000000048A000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649622762.0000000000491000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649640798.00000000004AA000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649656647.00000000004AE000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649670245.00000000004B6000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000004BD000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649684966.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649786316.00000000005AD000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000000.00000002.1649813776.00000000005EB000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_0_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: CriticalSection$EnterInitialize$Leave
                                                        • String ID:
                                                        • API String ID: 713024617-0
                                                        • Opcode ID: d2f9604f23d93bf9d1f3fcdad8a379a939db2a14611848bcd9185e1ad81e3a83
                                                        • Instruction ID: 3b45dfc569fa32815649505fb739a58a282b546805a0b9d948b316ba2df3f3b5
                                                        • Opcode Fuzzy Hash: d2f9604f23d93bf9d1f3fcdad8a379a939db2a14611848bcd9185e1ad81e3a83
                                                        • Instruction Fuzzy Hash: 82F06D7101020ADFE750AF94EC84A5AF3ACFB15716F00083BE14083011D738F658CBA8

                                                        Execution Graph

                                                        Execution Coverage:3.2%
                                                        Dynamic/Decrypted Code Coverage:0%
                                                        Signature Coverage:4.8%
                                                        Total number of Nodes:1280
                                                        Total number of Limit Nodes:43
                                                        execution_graph 57349 6a4dba 57364 6aa51b 57349->57364 57351 6a4dc3 57374 691fbd 57351->57374 57356 6a61f2 57397 691d8c 57356->57397 57359 6a61fb 57360 691eea 11 API calls 57359->57360 57361 6a6207 57360->57361 57362 691eea 11 API calls 57361->57362 57363 6a6213 57362->57363 57365 6aa529 57364->57365 57403 6ca88c 57365->57403 57368 6aa55c InternetReadFile 57372 6aa57f 57368->57372 57370 6aa5ac InternetCloseHandle InternetCloseHandle 57371 6aa5be 57370->57371 57371->57351 57372->57368 57372->57370 57373 691eea 11 API calls 57372->57373 57410 691f86 57372->57410 57373->57372 57375 691fcc 57374->57375 57421 692501 57375->57421 57377 691fea 57378 694468 57377->57378 57379 69447b 57378->57379 57426 694be8 57379->57426 57381 694490 ctype 57382 694507 WaitForSingleObject 57381->57382 57383 6944e7 57381->57383 57385 69451d 57382->57385 57384 6944f9 send 57383->57384 57386 694542 57384->57386 57430 6b051a 52 API calls 57385->57430 57389 691eea 11 API calls 57386->57389 57388 694530 SetEvent 57388->57386 57390 69454a 57389->57390 57391 691eea 11 API calls 57390->57391 57392 694552 57391->57392 57392->57356 57393 691eea 57392->57393 57395 6921b9 57393->57395 57394 6921e8 57394->57356 57395->57394 57436 69262e 11 API calls _Deallocate 57395->57436 57398 69200a 57397->57398 57402 69203a 57398->57402 57437 692654 11 API calls 57398->57437 57400 69202b 57438 6926ba 11 API calls _Deallocate 57400->57438 57402->57359 57408 6d6aff _strftime 57403->57408 57404 6d6b3d 57415 6d5354 20 API calls _free 57404->57415 57405 6d6b28 HeapAlloc 57407 6aa533 InternetOpenW InternetOpenUrlW 57405->57407 57405->57408 57407->57368 57408->57404 57408->57405 57414 6d2200 7 API calls 2 library calls 57408->57414 57411 691f8e 57410->57411 57416 692325 57411->57416 57413 691fa4 57413->57372 57414->57408 57415->57407 57417 69232f 57416->57417 57419 69233a 57417->57419 57420 69294a 28 API calls 57417->57420 57419->57413 57420->57419 57422 69250d 57421->57422 57424 69252b 57422->57424 57425 69261a 28 API calls 57422->57425 57424->57377 57425->57424 57427 694bf0 57426->57427 57431 694c0c 57427->57431 57429 694c06 57429->57381 57430->57388 57432 694c16 57431->57432 57433 694c21 57432->57433 57435 694d07 28 API calls 57432->57435 57433->57429 57435->57433 57436->57394 57437->57400 57438->57402 57439 6c39be 57440 6c39ca BuildCatchObjectHelperInternal 57439->57440 57471 6c36b3 57440->57471 57442 6c39d1 57443 6c3b24 57442->57443 57446 6c39fb 57442->57446 57771 6c3b44 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 57443->57771 57445 6c3b2b 57772 6d26be 28 API calls _Atexit 57445->57772 57448 6c3a3a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 57446->57448 57765 6d34d1 5 API calls ___crtLCMapStringA 57446->57765 57456 6c3a9b 57448->57456 57767 6cedf4 35 API calls 3 library calls 57448->57767 57449 6c3b31 57773 6d2670 28 API calls _Atexit 57449->57773 57452 6c3a14 57454 6c3a1a 57452->57454 57766 6d3475 5 API calls ___crtLCMapStringA 57452->57766 57453 6c3b39 57482 6c3c5e 57456->57482 57465 6c3abd 57465->57445 57466 6c3ac1 57465->57466 57467 6c3aca 57466->57467 57769 6d2661 28 API calls _Atexit 57466->57769 57770 6c3842 13 API calls 2 library calls 57467->57770 57470 6c3ad2 57470->57454 57472 6c36bc 57471->57472 57774 6c3e0a IsProcessorFeaturePresent 57472->57774 57474 6c36c8 57775 6c79ee 10 API calls 3 library calls 57474->57775 57476 6c36cd 57477 6c36d1 57476->57477 57776 6d335e 57476->57776 57477->57442 57480 6c36e8 57480->57442 57848 6c6050 57482->57848 57485 6c3aa1 57486 6d3422 57485->57486 57850 6dddc9 57486->57850 57488 6c3aaa 57491 69d767 57488->57491 57490 6d342b 57490->57488 57854 6de0d3 35 API calls 57490->57854 57856 6abce3 LoadLibraryA GetProcAddress 57491->57856 57493 69d783 GetModuleFileNameW 57861 69e168 57493->57861 57495 69d79f 57496 691fbd 28 API calls 57495->57496 57497 69d7ae 57496->57497 57498 691fbd 28 API calls 57497->57498 57499 69d7bd 57498->57499 57876 6aafc3 57499->57876 57503 69d7cf 57504 691d8c 11 API calls 57503->57504 57505 69d7d8 57504->57505 57506 69d7eb 57505->57506 57507 69d835 57505->57507 58150 69e986 111 API calls 57506->58150 57901 691d64 57507->57901 57510 69d7fd 57512 691d64 22 API calls 57510->57512 57511 69d845 57513 691d64 22 API calls 57511->57513 57516 69d809 57512->57516 57514 69d864 57513->57514 57906 694cbf 57514->57906 58151 69e937 65 API calls 57516->58151 57517 69d873 57910 695ce6 57517->57910 57520 69d87f 57913 691eef 57520->57913 57521 69d824 58152 69e155 65 API calls 57521->58152 57524 69d88b 57525 691eea 11 API calls 57524->57525 57526 69d894 57525->57526 57528 691eea 11 API calls 57526->57528 57527 691eea 11 API calls 57529 69dc9f 57527->57529 57530 69d89d 57528->57530 57768 6c3c94 GetModuleHandleW 57529->57768 57531 691d64 22 API calls 57530->57531 57532 69d8a6 57531->57532 57917 691ebd 57532->57917 57534 69d8b1 57535 691d64 22 API calls 57534->57535 57536 69d8ca 57535->57536 57537 691d64 22 API calls 57536->57537 57538 69d8e5 57537->57538 57539 69d946 57538->57539 58153 6985b4 57538->58153 57540 691d64 22 API calls 57539->57540 57554 69e134 57539->57554 57546 69d95d 57540->57546 57542 69d912 57543 691eef 11 API calls 57542->57543 57544 69d91e 57543->57544 57545 691eea 11 API calls 57544->57545 57547 69d927 57545->57547 57551 6a24b7 3 API calls 57546->57551 57559 69d9a4 57546->57559 58157 6a24b7 RegOpenKeyExA 57547->58157 57549 69d9aa 57550 69d82d 57549->57550 57924 6aa463 57549->57924 57550->57527 57556 69d988 57551->57556 58235 6a2902 30 API calls 57554->58235 57555 69d9c5 57558 69da18 57555->57558 57941 69697b 57555->57941 57556->57559 58160 6a2902 30 API calls 57556->58160 57560 691d64 22 API calls 57558->57560 57921 69bed7 57559->57921 57563 69da21 57560->57563 57572 69da2d 57563->57572 57573 69da32 57563->57573 57565 69e14a 58236 6a12b5 64 API calls ___scrt_fastfail 57565->58236 57566 69d9ee 57571 691d64 22 API calls 57566->57571 57567 69d9e4 58161 69699d 30 API calls 57567->58161 57580 69d9f7 57571->57580 58164 6969ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 57572->58164 57577 691d64 22 API calls 57573->57577 57574 69d9e9 58162 6964d0 97 API calls 57574->58162 57578 69da3b 57577->57578 57945 6aae08 57578->57945 57580->57558 57582 69da13 57580->57582 57581 69da46 57949 691e18 57581->57949 58163 6964d0 97 API calls 57582->58163 57584 69da51 57953 691e13 57584->57953 57587 69da5a 57588 691d64 22 API calls 57587->57588 57589 69da63 57588->57589 57590 691d64 22 API calls 57589->57590 57591 69da7d 57590->57591 57592 691d64 22 API calls 57591->57592 57593 69da97 57592->57593 57594 691d64 22 API calls 57593->57594 57595 69dab0 57594->57595 57596 69db1d 57595->57596 57597 691d64 22 API calls 57595->57597 57598 69db2c 57596->57598 57604 69dcaa ___scrt_fastfail 57596->57604 57602 69dac5 _wcslen 57597->57602 57599 69db35 57598->57599 57627 69dbb1 ___scrt_fastfail 57598->57627 57600 691d64 22 API calls 57599->57600 57601 69db3e 57600->57601 57603 691d64 22 API calls 57601->57603 57602->57596 57606 691d64 22 API calls 57602->57606 57605 69db50 57603->57605 58224 6a265d RegOpenKeyExA 57604->58224 57609 691d64 22 API calls 57605->57609 57607 69dae0 57606->57607 57611 691d64 22 API calls 57607->57611 57610 69db62 57609->57610 57614 691d64 22 API calls 57610->57614 57612 69daf5 57611->57612 58165 69c89e 57612->58165 57613 69dcef 57615 691d64 22 API calls 57613->57615 57617 69db8b 57614->57617 57618 69dd16 57615->57618 57623 691d64 22 API calls 57617->57623 57967 691f66 57618->57967 57620 691e18 11 API calls 57622 69db14 57620->57622 57625 691e13 11 API calls 57622->57625 57626 69db9c 57623->57626 57624 69dd25 57971 6a26d2 RegCreateKeyA 57624->57971 57625->57596 58222 69bc67 45 API calls _wcslen 57626->58222 57957 6a28a2 57627->57957 57631 69dbac 57631->57627 57633 69dc45 ctype 57636 691d64 22 API calls 57633->57636 57634 691d64 22 API calls 57635 69dd47 57634->57635 57977 6ca5e7 57635->57977 57637 69dc5c 57636->57637 57637->57613 57640 69dc70 57637->57640 57643 691d64 22 API calls 57640->57643 57641 69dd5e 58227 6abeb0 86 API calls ___scrt_fastfail 57641->58227 57642 69dd81 57646 691f66 28 API calls 57642->57646 57644 69dc7e 57643->57644 57647 6aae08 28 API calls 57644->57647 57649 69dd96 57646->57649 57650 69dc87 57647->57650 57648 69dd65 CreateThread 57648->57642 58910 6ac96f 10 API calls 57648->58910 57651 691f66 28 API calls 57649->57651 58223 69e219 109 API calls 57650->58223 57653 69dda5 57651->57653 57981 6aa686 57653->57981 57654 69dc8c 57654->57613 57656 69dc93 57654->57656 57656->57550 57658 691d64 22 API calls 57659 69ddb6 57658->57659 57660 691d64 22 API calls 57659->57660 57661 69ddcb 57660->57661 57662 691d64 22 API calls 57661->57662 57663 69ddeb 57662->57663 57664 6ca5e7 _strftime 39 API calls 57663->57664 57665 69ddf8 57664->57665 57666 691d64 22 API calls 57665->57666 57667 69de03 57666->57667 57668 691d64 22 API calls 57667->57668 57669 69de14 57668->57669 57670 691d64 22 API calls 57669->57670 57671 69de29 57670->57671 57672 691d64 22 API calls 57671->57672 57673 69de3a 57672->57673 57674 69de41 StrToIntA 57673->57674 58005 699517 57674->58005 57677 691d64 22 API calls 57678 69de5c 57677->57678 57679 69de68 57678->57679 57680 69dea1 57678->57680 58228 6c360d 22 API calls 3 library calls 57679->58228 57683 691d64 22 API calls 57680->57683 57682 69de71 57684 691d64 22 API calls 57682->57684 57685 69deb1 57683->57685 57686 69de84 57684->57686 57688 69def9 57685->57688 57689 69debd 57685->57689 57687 69de8b CreateThread 57686->57687 57687->57680 58913 6a9128 102 API calls 2 library calls 57687->58913 57690 691d64 22 API calls 57688->57690 58229 6c360d 22 API calls 3 library calls 57689->58229 57692 69df02 57690->57692 57696 69df6c 57692->57696 57697 69df0e 57692->57697 57693 69dec6 57694 691d64 22 API calls 57693->57694 57695 69ded8 57694->57695 57698 69dedf CreateThread 57695->57698 57699 691d64 22 API calls 57696->57699 57700 691d64 22 API calls 57697->57700 57698->57688 58912 6a9128 102 API calls 2 library calls 57698->58912 57701 69df75 57699->57701 57702 69df1e 57700->57702 57703 69dfba 57701->57703 57704 69df81 57701->57704 57705 691d64 22 API calls 57702->57705 58030 6aa7a2 57703->58030 57707 691d64 22 API calls 57704->57707 57708 69df33 57705->57708 57710 69df8a 57707->57710 58230 69c854 31 API calls 57708->58230 57714 691d64 22 API calls 57710->57714 57711 691e18 11 API calls 57713 69dfce 57711->57713 57716 691e13 11 API calls 57713->57716 57717 69df9f 57714->57717 57715 69df46 57718 691e18 11 API calls 57715->57718 57719 69dfd7 57716->57719 57728 6ca5e7 _strftime 39 API calls 57717->57728 57720 69df52 57718->57720 57721 69dfe0 SetProcessDEPPolicy 57719->57721 57722 69dfe3 CreateThread 57719->57722 57725 691e13 11 API calls 57720->57725 57721->57722 57723 69dff8 CreateThread 57722->57723 57724 69e004 57722->57724 58883 69e54f 57722->58883 57723->57724 58914 6a0f36 136 API calls 57723->58914 57726 69e019 57724->57726 57727 69e00d CreateThread 57724->57727 57729 69df5b CreateThread 57725->57729 57731 69e073 57726->57731 57733 691f66 28 API calls 57726->57733 57727->57726 58915 6a1524 38 API calls ___scrt_fastfail 57727->58915 57730 69dfac 57728->57730 57729->57696 58911 69196b 49 API calls _strftime 57729->58911 58231 69b95c 7 API calls 57730->58231 58042 6a246e RegOpenKeyExA 57731->58042 57734 69e046 57733->57734 58232 694c9e 28 API calls 57734->58232 57738 69e053 57740 691f66 28 API calls 57738->57740 57739 69e12a 58054 69cbac 57739->58054 57743 69e062 57740->57743 57742 6aae08 28 API calls 57745 69e0a4 57742->57745 57746 6aa686 79 API calls 57743->57746 58045 6a2584 RegOpenKeyExW 57745->58045 57748 69e067 57746->57748 57749 691eea 11 API calls 57748->57749 57749->57731 57752 691e13 11 API calls 57755 69e0c5 57752->57755 57753 69e0ed DeleteFileW 57754 69e0f4 57753->57754 57753->57755 57757 6aae08 28 API calls 57754->57757 57755->57753 57755->57754 57756 69e0db Sleep 57755->57756 58233 691e07 57756->58233 57759 69e104 57757->57759 58050 6a297a RegOpenKeyExW 57759->58050 57761 69e117 57762 691e13 11 API calls 57761->57762 57763 69e121 57762->57763 57764 691e13 11 API calls 57763->57764 57764->57739 57765->57452 57766->57448 57767->57456 57768->57465 57769->57467 57770->57470 57771->57445 57772->57449 57773->57453 57774->57474 57775->57476 57780 6de949 57776->57780 57779 6c7a17 8 API calls 3 library calls 57779->57477 57781 6de966 57780->57781 57784 6de962 57780->57784 57781->57784 57786 6d89ad 57781->57786 57783 6c36da 57783->57480 57783->57779 57798 6c3d2c 57784->57798 57787 6d89b9 BuildCatchObjectHelperInternal 57786->57787 57805 6d4acc EnterCriticalSection 57787->57805 57789 6d89c0 57806 6def64 57789->57806 57791 6d89cf 57797 6d89de 57791->57797 57817 6d8841 23 API calls 57791->57817 57794 6d89d9 57818 6d88f7 GetStdHandle GetFileType 57794->57818 57795 6d89ef std::_Locinfo::_Locinfo_dtor 57795->57781 57819 6d89fa LeaveCriticalSection std::_Lockit::~_Lockit 57797->57819 57799 6c3d35 57798->57799 57800 6c3d37 IsProcessorFeaturePresent 57798->57800 57799->57783 57802 6c41a4 57800->57802 57847 6c4168 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 57802->57847 57804 6c4287 57804->57783 57805->57789 57807 6def70 BuildCatchObjectHelperInternal 57806->57807 57808 6def7d 57807->57808 57809 6def94 57807->57809 57828 6d5354 20 API calls _free 57808->57828 57820 6d4acc EnterCriticalSection 57809->57820 57812 6def82 __cftoe std::_Locinfo::_Locinfo_dtor 57812->57791 57813 6defcc 57829 6deff3 LeaveCriticalSection std::_Lockit::~_Lockit 57813->57829 57816 6defa0 57816->57813 57821 6deeb5 57816->57821 57817->57794 57818->57797 57819->57795 57820->57816 57830 6d8706 57821->57830 57823 6deed4 57837 6d6ac5 57823->57837 57824 6deec7 57824->57823 57843 6d772e 11 API calls 2 library calls 57824->57843 57827 6def26 57827->57816 57828->57812 57829->57812 57836 6d8713 _strftime 57830->57836 57831 6d8753 57845 6d5354 20 API calls _free 57831->57845 57832 6d873e HeapAlloc 57834 6d8751 57832->57834 57832->57836 57834->57824 57836->57831 57836->57832 57844 6d2200 7 API calls 2 library calls 57836->57844 57838 6d6af9 _free 57837->57838 57839 6d6ad0 HeapFree 57837->57839 57838->57827 57839->57838 57840 6d6ae5 57839->57840 57846 6d5354 20 API calls _free 57840->57846 57842 6d6aeb GetLastError 57842->57838 57843->57824 57844->57836 57845->57834 57846->57842 57847->57804 57849 6c3c71 GetStartupInfoW 57848->57849 57849->57485 57851 6dddd2 57850->57851 57853 6ddddb 57850->57853 57855 6ddcc8 48 API calls 4 library calls 57851->57855 57853->57490 57854->57490 57855->57853 57857 6abd22 LoadLibraryA GetProcAddress 57856->57857 57858 6abd12 GetModuleHandleA GetProcAddress 57856->57858 57859 6abd4b 32 API calls 57857->57859 57860 6abd3b LoadLibraryA GetProcAddress 57857->57860 57858->57857 57859->57493 57860->57859 58237 6aa63f FindResourceA 57861->58237 57864 6ca88c ___crtLCMapStringA 21 API calls 57865 69e192 ctype 57864->57865 57866 691f86 28 API calls 57865->57866 57867 69e1ad 57866->57867 57868 691eef 11 API calls 57867->57868 57869 69e1b8 57868->57869 57870 691eea 11 API calls 57869->57870 57871 69e1c1 57870->57871 57872 6ca88c ___crtLCMapStringA 21 API calls 57871->57872 57873 69e1d2 ctype 57872->57873 58240 696052 57873->58240 57875 69e205 57875->57495 57896 6aafd6 57876->57896 57877 6ab046 57878 691eea 11 API calls 57877->57878 57879 6ab078 57878->57879 57880 691eea 11 API calls 57879->57880 57883 6ab080 57880->57883 57881 6ab048 57884 693b60 28 API calls 57881->57884 57885 691eea 11 API calls 57883->57885 57886 6ab054 57884->57886 57889 69d7c6 57885->57889 57887 691eef 11 API calls 57886->57887 57890 6ab05d 57887->57890 57888 691eef 11 API calls 57888->57896 57897 69e8bd 57889->57897 57891 691eea 11 API calls 57890->57891 57893 6ab065 57891->57893 57892 691eea 11 API calls 57892->57896 58247 6abfa9 28 API calls 57893->58247 57896->57877 57896->57881 57896->57888 57896->57892 58243 693b60 57896->58243 58246 6abfa9 28 API calls 57896->58246 57898 69e8ca 57897->57898 57900 69e8da 57898->57900 58264 69200a 11 API calls 57898->58264 57900->57503 57902 691d6c 57901->57902 57903 691d74 57902->57903 58265 691fff 22 API calls 57902->58265 57903->57511 57907 694ccb 57906->57907 58266 692e78 57907->58266 57909 694cee 57909->57517 58275 694bc4 57910->58275 57912 695cf4 57912->57520 57914 691efe 57913->57914 57915 691f0a 57914->57915 58284 6921b9 11 API calls 57914->58284 57915->57524 57919 691ec9 57917->57919 57918 691ee4 57918->57534 57919->57918 57920 692325 28 API calls 57919->57920 57920->57918 58285 691e8f 57921->58285 57923 69bee1 CreateMutexA GetLastError 57923->57549 58287 6ab15b 57924->58287 57929 691eef 11 API calls 57930 6aa49f 57929->57930 57931 691eea 11 API calls 57930->57931 57932 6aa4a7 57931->57932 57933 6aa4fa 57932->57933 57934 6a2513 31 API calls 57932->57934 57933->57555 57935 6aa4cd 57934->57935 57936 6aa4d8 StrToIntA 57935->57936 57937 6aa4ef 57936->57937 57938 6aa4e6 57936->57938 57940 691eea 11 API calls 57937->57940 58295 6ac102 22 API calls 57938->58295 57940->57933 57942 69698f 57941->57942 57943 6a24b7 3 API calls 57942->57943 57944 696996 57943->57944 57944->57566 57944->57567 57946 6aae1c 57945->57946 58296 69b027 57946->58296 57948 6aae24 57948->57581 57950 691e27 57949->57950 57952 691e33 57950->57952 58305 692121 11 API calls 57950->58305 57952->57584 57955 692121 57953->57955 57954 692150 57954->57587 57955->57954 58306 692718 11 API calls _Deallocate 57955->58306 57958 6a28c0 57957->57958 57959 696052 28 API calls 57958->57959 57960 6a28d5 57959->57960 57961 691fbd 28 API calls 57960->57961 57962 6a28e5 57961->57962 57963 6a26d2 14 API calls 57962->57963 57964 6a28ef 57963->57964 57965 691eea 11 API calls 57964->57965 57966 6a28fc 57965->57966 57966->57633 57968 691f6e 57967->57968 58307 692301 57968->58307 57972 6a2722 57971->57972 57975 6a26eb 57971->57975 57973 691eea 11 API calls 57972->57973 57974 69dd3b 57973->57974 57974->57634 57976 6a26fd RegSetValueExA RegCloseKey 57975->57976 57976->57972 57978 6ca600 _strftime 57977->57978 58311 6c993e 57978->58311 57980 69dd54 57980->57641 57980->57642 57982 6aa69c GetLocalTime 57981->57982 57983 6aa737 57981->57983 57984 694cbf 28 API calls 57982->57984 57985 691eea 11 API calls 57983->57985 57986 6aa6de 57984->57986 57987 6aa73f 57985->57987 57988 695ce6 28 API calls 57986->57988 57989 691eea 11 API calls 57987->57989 57990 6aa6ea 57988->57990 57991 69ddaa 57989->57991 58339 6927cb 57990->58339 57991->57658 57993 6aa6f6 57994 695ce6 28 API calls 57993->57994 57995 6aa702 57994->57995 58342 696478 76 API calls 57995->58342 57997 6aa710 57998 691eea 11 API calls 57997->57998 57999 6aa71c 57998->57999 58000 691eea 11 API calls 57999->58000 58001 6aa725 58000->58001 58002 691eea 11 API calls 58001->58002 58003 6aa72e 58002->58003 58004 691eea 11 API calls 58003->58004 58004->57983 58006 699536 _wcslen 58005->58006 58007 699558 58006->58007 58008 699541 58006->58008 58009 69c89e 31 API calls 58007->58009 58010 69c89e 31 API calls 58008->58010 58011 699560 58009->58011 58012 699549 58010->58012 58013 691e18 11 API calls 58011->58013 58014 691e18 11 API calls 58012->58014 58015 69956e 58013->58015 58016 699553 58014->58016 58017 691e13 11 API calls 58015->58017 58019 691e13 11 API calls 58016->58019 58018 699576 58017->58018 58362 69856b 28 API calls 58018->58362 58020 6995ad 58019->58020 58347 699837 58020->58347 58023 699588 58363 6928cf 58023->58363 58026 699593 58027 691e18 11 API calls 58026->58027 58028 69959d 58027->58028 58029 691e13 11 API calls 58028->58029 58029->58016 58031 6aa7c5 GetUserNameW 58030->58031 58539 693b40 58031->58539 58035 6aa7fd 58036 6928cf 28 API calls 58035->58036 58037 6aa807 58036->58037 58038 691e13 11 API calls 58037->58038 58039 6aa810 58038->58039 58040 691e13 11 API calls 58039->58040 58041 69dfc3 58040->58041 58041->57711 58043 6a248f RegQueryValueExA RegCloseKey 58042->58043 58044 69e08b 58042->58044 58043->58044 58044->57739 58044->57742 58046 6a25dd 58045->58046 58047 6a25b0 RegQueryValueExW RegCloseKey 58045->58047 58048 693b40 28 API calls 58046->58048 58047->58046 58049 69e0ba 58048->58049 58049->57752 58051 6a2992 RegDeleteValueW 58050->58051 58052 6a29a6 58050->58052 58051->58052 58053 6a29a2 58051->58053 58052->57761 58053->57761 58055 69cbc5 58054->58055 58056 6a246e 3 API calls 58055->58056 58057 69cbcc 58056->58057 58061 69cbeb 58057->58061 58561 691602 58057->58561 58059 69cbd9 58564 6a27d5 RegCreateKeyA 58059->58564 58062 6a3fd4 58061->58062 58063 6a3feb 58062->58063 58578 6aaa73 58063->58578 58065 6a3ff6 58066 691d64 22 API calls 58065->58066 58067 6a400f 58066->58067 58068 6ca5e7 _strftime 39 API calls 58067->58068 58069 6a401c 58068->58069 58070 6a402e 58069->58070 58071 6a4021 Sleep 58069->58071 58072 691f66 28 API calls 58070->58072 58071->58070 58073 6a403d 58072->58073 58074 691d64 22 API calls 58073->58074 58075 6a404b 58074->58075 58076 691fbd 28 API calls 58075->58076 58077 6a4053 58076->58077 58078 6aafc3 28 API calls 58077->58078 58079 6a405b 58078->58079 58582 694262 WSAStartup 58079->58582 58081 6a4065 58082 691d64 22 API calls 58081->58082 58083 6a406e 58082->58083 58084 691d64 22 API calls 58083->58084 58144 6a40ed 58083->58144 58085 6a4087 58084->58085 58088 691d64 22 API calls 58085->58088 58086 691d64 22 API calls 58086->58144 58087 691fbd 28 API calls 58087->58144 58089 6a4098 58088->58089 58091 691d64 22 API calls 58089->58091 58090 6aafc3 28 API calls 58090->58144 58092 6a40a9 58091->58092 58093 691d64 22 API calls 58092->58093 58095 6a40ba 58093->58095 58094 6985b4 28 API calls 58094->58144 58096 691d64 22 API calls 58095->58096 58098 6a40cb 58096->58098 58097 691eef 11 API calls 58097->58144 58100 691d64 22 API calls 58098->58100 58099 691eea 11 API calls 58099->58144 58101 6a40dd 58100->58101 58714 694101 87 API calls 58101->58714 58104 6a4244 WSAGetLastError 58715 6abc76 30 API calls 58104->58715 58109 6a4259 58111 6aa686 79 API calls 58109->58111 58114 691d8c 11 API calls 58109->58114 58115 691d64 22 API calls 58109->58115 58116 6ca5e7 _strftime 39 API calls 58109->58116 58109->58144 58146 691f66 28 API calls 58109->58146 58147 6a4b22 CreateThread 58109->58147 58148 691eea 11 API calls 58109->58148 58149 691e13 11 API calls 58109->58149 58716 694c9e 28 API calls 58109->58716 58717 69a767 84 API calls 58109->58717 58718 6947eb 98 API calls 58109->58718 58111->58109 58113 694cbf 28 API calls 58113->58144 58114->58109 58115->58109 58117 6a4b80 Sleep 58116->58117 58117->58109 58118 695ce6 28 API calls 58118->58144 58119 691f66 28 API calls 58119->58144 58120 6aa686 79 API calls 58120->58144 58123 6982dc 28 API calls 58123->58144 58124 6d0c51 20 API calls 58124->58144 58125 6a265d 3 API calls 58125->58144 58126 6a2513 31 API calls 58126->58144 58127 693b40 28 API calls 58127->58144 58130 691d64 22 API calls 58131 6a44ed GetTickCount 58130->58131 58132 6aad46 28 API calls 58131->58132 58132->58144 58134 6aad46 28 API calls 58134->58144 58137 6aaec8 28 API calls 58137->58144 58139 6927cb 28 API calls 58139->58144 58140 69275c 28 API calls 58140->58144 58141 694468 59 API calls 58141->58144 58142 691e13 11 API calls 58142->58144 58144->58086 58144->58087 58144->58090 58144->58094 58144->58097 58144->58099 58144->58104 58144->58109 58144->58113 58144->58118 58144->58119 58144->58120 58144->58123 58144->58124 58144->58125 58144->58126 58144->58127 58144->58130 58144->58134 58144->58137 58144->58139 58144->58140 58144->58141 58144->58142 58583 6a3f9a 58144->58583 58588 6941f1 58144->58588 58595 694915 58144->58595 58610 69428c connect 58144->58610 58670 6aa96d 58144->58670 58673 6a3683 58144->58673 58676 69cbf1 58144->58676 58682 6aadee 58144->58682 58685 6aaca0 58144->58685 58687 6aac52 58144->58687 58692 69e679 GetLocaleInfoA 58144->58692 58695 6927ec 58144->58695 58699 6945d5 58144->58699 58146->58109 58147->58109 58876 6a9e89 102 API calls 58147->58876 58148->58109 58149->58109 58150->57510 58151->57521 58154 6985c0 58153->58154 58155 692e78 28 API calls 58154->58155 58156 6985e4 58155->58156 58156->57542 58158 6a250b 58157->58158 58159 6a24e1 RegQueryValueExA RegCloseKey 58157->58159 58158->57539 58159->58158 58160->57559 58161->57574 58162->57566 58163->57558 58164->57573 58166 69c8ba 58165->58166 58167 69c8da 58166->58167 58168 69c90f 58166->58168 58169 69c8d0 58166->58169 58877 6aa74b 29 API calls 58167->58877 58170 6ab15b GetCurrentProcess 58168->58170 58172 69ca03 GetLongPathNameW 58169->58172 58174 69c914 58170->58174 58173 693b40 28 API calls 58172->58173 58176 69ca18 58173->58176 58177 69c918 58174->58177 58178 69c96a 58174->58178 58175 69c8e3 58179 691e18 11 API calls 58175->58179 58180 693b40 28 API calls 58176->58180 58182 693b40 28 API calls 58177->58182 58181 693b40 28 API calls 58178->58181 58183 69c8ed 58179->58183 58184 69ca27 58180->58184 58185 69c978 58181->58185 58186 69c926 58182->58186 58188 691e13 11 API calls 58183->58188 58880 69cc37 28 API calls 58184->58880 58191 693b40 28 API calls 58185->58191 58192 693b40 28 API calls 58186->58192 58188->58169 58189 69ca3a 58881 692860 28 API calls 58189->58881 58194 69c98e 58191->58194 58195 69c93c 58192->58195 58193 69ca45 58882 692860 28 API calls 58193->58882 58879 692860 28 API calls 58194->58879 58878 692860 28 API calls 58195->58878 58199 69ca4f 58202 691e13 11 API calls 58199->58202 58200 69c999 58203 691e18 11 API calls 58200->58203 58201 69c947 58204 691e18 11 API calls 58201->58204 58205 69ca59 58202->58205 58206 69c9a4 58203->58206 58207 69c952 58204->58207 58208 691e13 11 API calls 58205->58208 58209 691e13 11 API calls 58206->58209 58210 691e13 11 API calls 58207->58210 58212 69ca62 58208->58212 58213 69c9ad 58209->58213 58211 69c95b 58210->58211 58215 691e13 11 API calls 58211->58215 58216 691e13 11 API calls 58212->58216 58214 691e13 11 API calls 58213->58214 58214->58183 58215->58183 58217 69ca6b 58216->58217 58218 691e13 11 API calls 58217->58218 58219 69ca74 58218->58219 58220 691e13 11 API calls 58219->58220 58221 69ca7d 58220->58221 58221->57620 58222->57631 58223->57654 58225 6a2683 RegQueryValueExA RegCloseKey 58224->58225 58226 6a26a7 58224->58226 58225->58226 58226->57613 58227->57648 58228->57682 58229->57693 58230->57715 58231->57703 58232->57738 58234 691e0c 58233->58234 58235->57565 58238 6aa65c LoadResource LockResource SizeofResource 58237->58238 58239 69e183 58237->58239 58238->58239 58239->57864 58241 691f86 28 API calls 58240->58241 58242 696066 58241->58242 58242->57875 58248 693c30 58243->58248 58246->57896 58247->57877 58249 693c39 58248->58249 58252 693c59 58249->58252 58253 693c68 58252->58253 58258 6932a4 58253->58258 58255 693c74 58256 692325 28 API calls 58255->58256 58257 693b73 58256->58257 58257->57896 58259 6932ad 58258->58259 58260 6932b0 58258->58260 58259->58255 58263 6932b6 22 API calls 58260->58263 58264->57900 58268 692e85 58266->58268 58267 692ea9 58267->57909 58268->58267 58269 692e98 58268->58269 58271 692eae 58268->58271 58273 693445 28 API calls 58269->58273 58271->58267 58274 69225b 11 API calls 58271->58274 58273->58267 58274->58267 58276 694bd0 58275->58276 58279 69245c 58276->58279 58278 694be4 58278->57912 58280 692469 58279->58280 58282 692478 58280->58282 58283 692ad3 28 API calls 58280->58283 58282->58278 58283->58282 58284->57915 58286 691e94 58285->58286 58286->57923 58288 6ab168 GetCurrentProcess 58287->58288 58289 6aa471 58287->58289 58288->58289 58290 6a2513 RegOpenKeyExA 58289->58290 58291 6a2569 58290->58291 58292 6a2541 RegQueryValueExA RegCloseKey 58290->58292 58293 691f66 28 API calls 58291->58293 58292->58291 58294 6a257e 58293->58294 58294->57929 58295->57937 58297 69b02f 58296->58297 58300 69b04b 58297->58300 58299 69b045 58299->57948 58301 69b055 58300->58301 58303 69b060 58301->58303 58304 69b138 28 API calls 58301->58304 58303->58299 58304->58303 58305->57952 58306->57954 58308 69230d 58307->58308 58309 692325 28 API calls 58308->58309 58310 691f80 58309->58310 58310->57624 58327 6ca545 58311->58327 58313 6c9950 58314 6c998b 58313->58314 58315 6c9965 58313->58315 58326 6c996a __cftoe 58313->58326 58333 6c92de 35 API calls 3 library calls 58314->58333 58332 6d5354 20 API calls _free 58315->58332 58319 6c9997 58320 6c99c6 58319->58320 58334 6ca58a 39 API calls __Tolower 58319->58334 58323 6c9a32 58320->58323 58335 6ca4f1 20 API calls 2 library calls 58320->58335 58336 6ca4f1 20 API calls 2 library calls 58323->58336 58324 6c9af9 _strftime 58324->58326 58337 6d5354 20 API calls _free 58324->58337 58326->57980 58328 6ca55d 58327->58328 58329 6ca54a 58327->58329 58328->58313 58338 6d5354 20 API calls _free 58329->58338 58331 6ca54f __cftoe 58331->58313 58332->58326 58333->58319 58334->58319 58335->58323 58336->58324 58337->58326 58338->58331 58343 691e9b 58339->58343 58341 6927d9 58341->57993 58342->57997 58344 691ea7 58343->58344 58345 69245c 28 API calls 58344->58345 58346 691eb9 58345->58346 58346->58341 58348 699855 58347->58348 58349 6a24b7 3 API calls 58348->58349 58350 69985c 58349->58350 58351 69988a 58350->58351 58352 699870 58350->58352 58366 6982dc 58351->58366 58353 6995cf 58352->58353 58354 699875 58352->58354 58353->57677 58356 6982dc 28 API calls 58354->58356 58358 699883 58356->58358 58392 699959 29 API calls 58358->58392 58361 699888 58361->58353 58362->58023 58530 692d8b 58363->58530 58365 6928dd 58365->58026 58367 6982eb 58366->58367 58393 698431 58367->58393 58369 698309 58370 6998a5 58369->58370 58398 69affa 58370->58398 58373 6998ce 58375 691f66 28 API calls 58373->58375 58374 6998f6 58376 691f66 28 API calls 58374->58376 58377 6998d8 58375->58377 58378 699901 58376->58378 58379 6aae08 28 API calls 58377->58379 58380 691f66 28 API calls 58378->58380 58381 6998e6 58379->58381 58382 699910 58380->58382 58402 69a876 31 API calls ___crtLCMapStringA 58381->58402 58383 6aa686 79 API calls 58382->58383 58385 699915 CreateThread 58383->58385 58387 69993c CreateThread 58385->58387 58388 699930 CreateThread 58385->58388 58414 6999a9 58385->58414 58386 6998ed 58389 691eea 11 API calls 58386->58389 58390 691e13 11 API calls 58387->58390 58411 6999b5 58387->58411 58388->58387 58408 699993 58388->58408 58389->58374 58391 699950 58390->58391 58391->58353 58392->58361 58529 69999f 135 API calls 58392->58529 58394 69843d 58393->58394 58396 69845b 58394->58396 58397 692f0d 28 API calls 58394->58397 58396->58369 58397->58396 58400 69b006 58398->58400 58399 6998c3 58399->58373 58399->58374 58400->58399 58403 693b9e 58400->58403 58402->58386 58404 693ba8 58403->58404 58406 693bb3 58404->58406 58407 693cfd 28 API calls 58404->58407 58406->58399 58407->58406 58417 6999e4 58408->58417 58447 69a3f4 58411->58447 58484 699e48 58414->58484 58418 6999ff GetModuleHandleA SetWindowsHookExA 58417->58418 58419 699a63 GetMessageA 58417->58419 58418->58419 58421 699a1b GetLastError 58418->58421 58420 699a75 TranslateMessage DispatchMessageA 58419->58420 58422 69999c 58419->58422 58420->58419 58420->58422 58432 6aad46 58421->58432 58426 699a3e 58427 691f66 28 API calls 58426->58427 58428 699a4d 58427->58428 58429 6aa686 79 API calls 58428->58429 58430 699a52 58429->58430 58431 691eea 11 API calls 58430->58431 58431->58422 58438 6d0c51 58432->58438 58435 691f66 28 API calls 58436 699a31 58435->58436 58437 694c9e 28 API calls 58436->58437 58437->58426 58439 6d0c5d 58438->58439 58442 6d0a4d 58439->58442 58441 6aad67 58441->58435 58443 6d0a64 58442->58443 58444 6d0a9b __cftoe 58443->58444 58446 6d5354 20 API calls _free 58443->58446 58444->58441 58446->58444 58453 69a402 58447->58453 58448 6999be 58449 69a45c Sleep GetForegroundWindow GetWindowTextLengthW 58450 69b027 28 API calls 58449->58450 58450->58453 58453->58448 58453->58449 58454 6aaca0 GetTickCount 58453->58454 58456 69a4a2 GetWindowTextW 58453->58456 58458 691e13 11 API calls 58453->58458 58459 69a5ff 58453->58459 58460 69affa 28 API calls 58453->58460 58462 69a569 Sleep 58453->58462 58463 6d0c51 20 API calls 58453->58463 58465 691f66 28 API calls 58453->58465 58466 69a4f1 58453->58466 58470 695ce6 28 API calls 58453->58470 58472 6928cf 28 API calls 58453->58472 58473 6aae08 28 API calls 58453->58473 58474 699d58 12 API calls 58453->58474 58475 691eea 11 API calls 58453->58475 58476 6c3519 5 API calls __Init_thread_wait 58453->58476 58477 6c38a5 23 API calls __onexit 58453->58477 58478 6c34cf EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 58453->58478 58479 6982a8 28 API calls 58453->58479 58481 69b0dd 28 API calls 58453->58481 58482 69ae58 44 API calls 2 library calls 58453->58482 58483 694c9e 28 API calls 58453->58483 58454->58453 58456->58453 58458->58453 58461 691e13 11 API calls 58459->58461 58460->58453 58461->58448 58462->58453 58463->58453 58465->58453 58466->58453 58468 6982dc 28 API calls 58466->58468 58480 69a876 31 API calls ___crtLCMapStringA 58466->58480 58468->58466 58470->58453 58472->58453 58473->58453 58474->58453 58475->58453 58476->58453 58477->58453 58478->58453 58479->58453 58480->58466 58481->58453 58482->58453 58483->58453 58485 699e5d Sleep 58484->58485 58504 699d97 58485->58504 58487 6999b2 58488 699e9d CreateDirectoryW 58492 699e6f 58488->58492 58489 699eae GetFileAttributesW 58489->58492 58490 699ec5 SetFileAttributesW 58490->58492 58492->58485 58492->58487 58492->58488 58492->58489 58492->58490 58494 691d64 22 API calls 58492->58494 58502 699f10 58492->58502 58517 6ab58f 58492->58517 58493 699f3f PathFileExistsW 58493->58502 58494->58492 58496 691f86 28 API calls 58496->58502 58497 69a048 SetFileAttributesW 58497->58492 58498 691eea 11 API calls 58498->58502 58499 696052 28 API calls 58499->58502 58500 691eef 11 API calls 58500->58502 58502->58493 58502->58496 58502->58497 58502->58498 58502->58499 58502->58500 58503 691eea 11 API calls 58502->58503 58526 6ab61a 32 API calls 58502->58526 58527 6ab687 CreateFileW SetFilePointer WriteFile CloseHandle 58502->58527 58503->58492 58505 699e44 58504->58505 58507 699dad 58504->58507 58505->58492 58506 699dcc CreateFileW 58506->58507 58508 699dda GetFileSize 58506->58508 58507->58506 58509 699e0f CloseHandle 58507->58509 58510 699dfd 58507->58510 58511 699e04 Sleep 58507->58511 58512 699e21 58507->58512 58508->58507 58508->58509 58509->58507 58528 69a7f0 83 API calls 58510->58528 58511->58509 58512->58505 58514 6982dc 28 API calls 58512->58514 58515 699e3d 58514->58515 58516 6998a5 126 API calls 58515->58516 58516->58505 58518 6ab5a2 CreateFileW 58517->58518 58520 6ab5df 58518->58520 58521 6ab5db 58518->58521 58522 6ab5f6 WriteFile 58520->58522 58523 6ab5e6 SetFilePointer 58520->58523 58521->58492 58524 6ab60b CloseHandle 58522->58524 58525 6ab609 58522->58525 58523->58522 58523->58524 58524->58521 58525->58524 58526->58502 58527->58502 58528->58511 58531 692d97 58530->58531 58534 6930f7 58531->58534 58533 692dab 58533->58365 58535 693101 58534->58535 58537 693115 58535->58537 58538 6936c2 28 API calls 58535->58538 58537->58533 58538->58537 58540 693b48 58539->58540 58546 693b7a 58540->58546 58543 693cbb 58550 693dc2 58543->58550 58545 693cc9 58545->58035 58547 693b86 58546->58547 58548 693b9e 28 API calls 58547->58548 58549 693b5a 58548->58549 58549->58543 58551 693dce 58550->58551 58554 692ffd 58551->58554 58553 693de3 58553->58545 58555 69300e 58554->58555 58556 6932a4 22 API calls 58555->58556 58557 69301a 58556->58557 58559 69302e 58557->58559 58560 6935e8 28 API calls 58557->58560 58559->58553 58560->58559 58567 6c95ba 58561->58567 58565 6a2814 58564->58565 58566 6a27ed RegSetValueExA RegCloseKey 58564->58566 58565->58061 58566->58565 58570 6c953b 58567->58570 58569 691608 58569->58059 58571 6c955e 58570->58571 58572 6c954a 58570->58572 58575 6c954f __alldvrm __cftoe 58571->58575 58577 6d7601 11 API calls 2 library calls 58571->58577 58576 6d5354 20 API calls _free 58572->58576 58575->58569 58576->58575 58577->58575 58579 6aaab9 ctype ___scrt_fastfail 58578->58579 58580 691f66 28 API calls 58579->58580 58581 6aab2e 58580->58581 58581->58065 58582->58081 58584 6a3fa9 58583->58584 58585 6a3fb3 getaddrinfo WSASetLastError 58583->58585 58719 6a3e37 29 API calls ___std_exception_copy 58584->58719 58585->58144 58587 6a3fae 58587->58585 58589 6941fd 58588->58589 58590 694206 socket 58588->58590 58720 694262 WSAStartup 58589->58720 58592 694220 58590->58592 58593 694224 CreateEventW 58590->58593 58592->58144 58593->58144 58594 694202 58594->58590 58594->58592 58596 6949b1 58595->58596 58597 69492a 58595->58597 58596->58144 58598 694933 58597->58598 58599 694987 CreateEventA CreateThread 58597->58599 58600 694942 GetLocalTime 58597->58600 58598->58599 58599->58596 58722 694b1d 58599->58722 58601 6aad46 28 API calls 58600->58601 58602 69495b 58601->58602 58721 694c9e 28 API calls 58602->58721 58604 694968 58605 691f66 28 API calls 58604->58605 58606 694977 58605->58606 58607 6aa686 79 API calls 58606->58607 58608 69497c 58607->58608 58609 691eea 11 API calls 58608->58609 58609->58599 58611 6943e1 58610->58611 58612 6942b3 58610->58612 58613 694343 58611->58613 58614 6943e7 WSAGetLastError 58611->58614 58612->58613 58616 694cbf 28 API calls 58612->58616 58636 6942e8 58612->58636 58613->58144 58614->58613 58615 6943f7 58614->58615 58617 6943fc 58615->58617 58619 6942f7 58615->58619 58620 6942d4 58616->58620 58731 6abc76 30 API calls 58617->58731 58623 691f66 28 API calls 58619->58623 58624 691f66 28 API calls 58620->58624 58622 6942f0 58622->58619 58626 694306 58622->58626 58627 694448 58623->58627 58628 6942e3 58624->58628 58625 69440b 58732 694c9e 28 API calls 58625->58732 58633 69434c 58626->58633 58634 694315 58626->58634 58630 691f66 28 API calls 58627->58630 58631 6aa686 79 API calls 58628->58631 58635 694457 58630->58635 58631->58636 58632 694418 58637 691f66 28 API calls 58632->58637 58728 6b0f34 52 API calls 58633->58728 58638 691f66 28 API calls 58634->58638 58639 6aa686 79 API calls 58635->58639 58726 6b0151 27 API calls 58636->58726 58641 694427 58637->58641 58642 694324 58638->58642 58639->58613 58644 6aa686 79 API calls 58641->58644 58645 691f66 28 API calls 58642->58645 58643 694354 58646 694389 58643->58646 58647 694359 58643->58647 58648 69442c 58644->58648 58649 694333 58645->58649 58730 6b02ea 28 API calls 58646->58730 58651 691f66 28 API calls 58647->58651 58652 691eea 11 API calls 58648->58652 58654 6aa686 79 API calls 58649->58654 58653 694368 58651->58653 58652->58613 58656 691f66 28 API calls 58653->58656 58657 694338 58654->58657 58655 694391 58658 6943be CreateEventW CreateEventW 58655->58658 58660 691f66 28 API calls 58655->58660 58659 694377 58656->58659 58727 6adc15 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 58657->58727 58658->58613 58661 6aa686 79 API calls 58659->58661 58663 6943a7 58660->58663 58664 69437c 58661->58664 58665 691f66 28 API calls 58663->58665 58729 6b0592 50 API calls 58664->58729 58667 6943b6 58665->58667 58668 6aa686 79 API calls 58667->58668 58669 6943bb 58668->58669 58669->58658 58733 6aa945 GlobalMemoryStatusEx 58670->58733 58672 6aa982 58672->58144 58734 6a3646 58673->58734 58677 69cc0d 58676->58677 58678 6a246e 3 API calls 58677->58678 58680 69cc14 58678->58680 58679 69cc2c 58679->58144 58680->58679 58681 6a24b7 3 API calls 58680->58681 58681->58679 58683 691f86 28 API calls 58682->58683 58684 6aae03 58683->58684 58684->58144 58686 6aacb6 GetTickCount 58685->58686 58686->58144 58688 6c6050 ___scrt_fastfail 58687->58688 58689 6aac71 GetForegroundWindow GetWindowTextW 58688->58689 58690 693b40 28 API calls 58689->58690 58691 6aac9b 58690->58691 58691->58144 58693 691f66 28 API calls 58692->58693 58694 69e69e 58693->58694 58694->58144 58696 6927f8 58695->58696 58697 692e78 28 API calls 58696->58697 58698 692814 58697->58698 58698->58144 58701 6945ec 58699->58701 58700 6ca88c ___crtLCMapStringA 21 API calls 58700->58701 58701->58700 58703 691f86 28 API calls 58701->58703 58704 694666 58701->58704 58705 691eef 11 API calls 58701->58705 58708 691eea 11 API calls 58701->58708 58764 69455b 58701->58764 58770 694688 58701->58770 58703->58701 58781 6947eb 98 API calls 58704->58781 58705->58701 58707 69466d 58709 691eea 11 API calls 58707->58709 58708->58701 58710 694676 58709->58710 58711 691eea 11 API calls 58710->58711 58712 69467f 58711->58712 58712->58144 58714->58144 58715->58109 58716->58109 58717->58109 58718->58109 58719->58587 58720->58594 58721->58604 58725 694b29 101 API calls 58722->58725 58724 694b26 58725->58724 58726->58622 58727->58613 58728->58643 58729->58657 58730->58655 58731->58625 58732->58632 58733->58672 58737 6a3619 58734->58737 58738 6a362e ___scrt_initialize_default_local_stdio_options 58737->58738 58741 6ce2dd 58738->58741 58744 6cb030 58741->58744 58745 6cb058 58744->58745 58746 6cb070 58744->58746 58759 6d5354 20 API calls _free 58745->58759 58746->58745 58748 6cb078 58746->58748 58760 6c92de 35 API calls 3 library calls 58748->58760 58750 6cb088 58761 6cb7b6 20 API calls 2 library calls 58750->58761 58751 6cb05d __cftoe 58753 6c3d2c ___crtLCMapStringA 5 API calls 58751->58753 58755 6a363c 58753->58755 58754 6cb100 58762 6cbe24 50 API calls 3 library calls 58754->58762 58755->58144 58758 6cb10b 58763 6cb820 20 API calls _free 58758->58763 58759->58751 58760->58750 58761->58754 58762->58758 58763->58751 58765 694592 recv 58764->58765 58766 694565 WaitForSingleObject 58764->58766 58767 6945a5 58765->58767 58782 6b0556 52 API calls 58766->58782 58767->58701 58769 694581 SetEvent 58769->58767 58780 6946a3 58770->58780 58771 6947d8 58772 691eea 11 API calls 58771->58772 58773 6947e1 58772->58773 58773->58701 58774 693b60 28 API calls 58774->58780 58775 691eef 11 API calls 58775->58780 58776 691eea 11 API calls 58776->58780 58777 691fbd 28 API calls 58777->58780 58778 691ebd 28 API calls 58779 694772 CreateEventA CreateThread WaitForSingleObject CloseHandle 58778->58779 58779->58780 58783 6a4b9b 58779->58783 58780->58771 58780->58774 58780->58775 58780->58776 58780->58777 58780->58778 58781->58707 58782->58769 58784 691fbd 28 API calls 58783->58784 58785 6a4bbd SetEvent 58784->58785 58786 6a4bd2 58785->58786 58787 693b60 28 API calls 58786->58787 58788 6a4bec 58787->58788 58789 691fbd 28 API calls 58788->58789 58790 6a4bfc 58789->58790 58791 691fbd 28 API calls 58790->58791 58792 6a4c0e 58791->58792 58793 6aafc3 28 API calls 58792->58793 58794 6a4c17 58793->58794 58796 6a4c37 GetTickCount 58794->58796 58856 6a4d99 58794->58856 58861 6a4d8a 58794->58861 58795 691d8c 11 API calls 58797 6a61fb 58795->58797 58798 6aad46 28 API calls 58796->58798 58800 691eea 11 API calls 58797->58800 58801 6a4c4d 58798->58801 58799 6a4dad 58874 694ab1 83 API calls 58799->58874 58803 6a6207 58800->58803 58804 6aaca0 GetTickCount 58801->58804 58806 691eea 11 API calls 58803->58806 58807 6a4c54 58804->58807 58805 6a4d7d 58805->58861 58808 6a6213 58806->58808 58809 6aad46 28 API calls 58807->58809 58810 6a4c5f 58809->58810 58811 6aac52 30 API calls 58810->58811 58812 6a4c6d 58811->58812 58862 6aaec8 58812->58862 58815 691d64 22 API calls 58816 6a4c89 58815->58816 58817 6927ec 28 API calls 58816->58817 58818 6a4c97 58817->58818 58866 69275c 58818->58866 58820 6a4ca6 58821 6927cb 28 API calls 58820->58821 58822 6a4cb5 58821->58822 58823 69275c 28 API calls 58822->58823 58824 6a4cc4 58823->58824 58825 6927cb 28 API calls 58824->58825 58826 6a4cd0 58825->58826 58827 69275c 28 API calls 58826->58827 58828 6a4cda 58827->58828 58829 694468 59 API calls 58828->58829 58830 6a4ce9 58829->58830 58831 691eea 11 API calls 58830->58831 58832 6a4cf2 58831->58832 58833 691eea 11 API calls 58832->58833 58834 6a4cfe 58833->58834 58835 691eea 11 API calls 58834->58835 58836 6a4d0a 58835->58836 58837 691eea 11 API calls 58836->58837 58838 6a4d16 58837->58838 58839 691eea 11 API calls 58838->58839 58840 6a4d22 58839->58840 58841 691eea 11 API calls 58840->58841 58842 6a4d2e 58841->58842 58843 691e13 11 API calls 58842->58843 58844 6a4d3a 58843->58844 58845 691eea 11 API calls 58844->58845 58846 6a4d43 58845->58846 58847 691eea 11 API calls 58846->58847 58848 6a4d4c 58847->58848 58849 691d64 22 API calls 58848->58849 58850 6a4d57 58849->58850 58851 6ca5e7 _strftime 39 API calls 58850->58851 58852 6a4d64 58851->58852 58853 6a4d69 58852->58853 58854 6a4d8f 58852->58854 58857 6a4d82 58853->58857 58858 6a4d77 58853->58858 58855 691d64 22 API calls 58854->58855 58855->58856 58856->58799 58856->58861 58860 694915 104 API calls 58857->58860 58873 6949ba 81 API calls 58858->58873 58860->58861 58861->58795 58863 6aaed5 58862->58863 58864 691f86 28 API calls 58863->58864 58865 6a4c7b 58864->58865 58865->58815 58869 69276b 58866->58869 58867 6927ad 58868 691e9b 28 API calls 58867->58868 58870 6927ab 58868->58870 58869->58867 58871 6927a2 58869->58871 58870->58820 58875 692ee5 28 API calls 58871->58875 58873->58805 58874->58805 58875->58870 58877->58175 58878->58201 58879->58200 58880->58189 58881->58193 58882->58199 58885 69e56a 58883->58885 58884 6a24b7 3 API calls 58884->58885 58885->58884 58886 69e60e 58885->58886 58889 69e5fe Sleep 58885->58889 58905 69e59c 58885->58905 58888 6982dc 28 API calls 58886->58888 58887 6982dc 28 API calls 58887->58905 58891 69e619 58888->58891 58889->58885 58890 6aae08 28 API calls 58890->58905 58893 6aae08 28 API calls 58891->58893 58894 69e625 58893->58894 58918 6a2774 14 API calls 58894->58918 58897 691e13 11 API calls 58897->58905 58898 69e638 58899 691e13 11 API calls 58898->58899 58901 69e644 58899->58901 58900 691f66 28 API calls 58900->58905 58902 691f66 28 API calls 58901->58902 58903 69e655 58902->58903 58906 6a26d2 14 API calls 58903->58906 58904 6a26d2 14 API calls 58904->58905 58905->58887 58905->58889 58905->58890 58905->58897 58905->58900 58905->58904 58916 69bf04 73 API calls ___scrt_fastfail 58905->58916 58917 6a2774 14 API calls 58905->58917 58907 69e668 58906->58907 58919 6a1699 TerminateProcess WaitForSingleObject 58907->58919 58909 69e670 ExitProcess 58920 6a1637 60 API calls 58914->58920 58917->58905 58918->58898 58919->58909 58921 6ca998 58924 6ca9a4 _swprintf BuildCatchObjectHelperInternal 58921->58924 58922 6ca9b2 58937 6d5354 20 API calls _free 58922->58937 58924->58922 58926 6ca9dc 58924->58926 58925 6ca9b7 __cftoe std::_Locinfo::_Locinfo_dtor 58932 6d4acc EnterCriticalSection 58926->58932 58928 6ca9e7 58933 6caa88 58928->58933 58932->58928 58935 6caa96 58933->58935 58934 6ca9f2 58938 6caa0f LeaveCriticalSection std::_Lockit::~_Lockit 58934->58938 58935->58934 58939 6d8416 36 API calls 2 library calls 58935->58939 58937->58925 58938->58925 58939->58935

                                                        Executed Functions

                                                        Function 006ABCE3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0069D783), ref: 006ABCF8
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006ABD01
                                                        • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0069D783), ref: 006ABD18
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006ABD1B
                                                        • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0069D783), ref: 006ABD2D
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006ABD30
                                                        • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0069D783), ref: 006ABD41
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006ABD44
                                                        • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0069D783), ref: 006ABD55
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006ABD58
                                                        • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0069D783), ref: 006ABD65
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006ABD68
                                                        • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0069D783), ref: 006ABD75
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006ABD78
                                                        • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0069D783), ref: 006ABD85
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006ABD88
                                                        • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0069D783), ref: 006ABD99
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006ABD9C
                                                        • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0069D783), ref: 006ABDA9
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006ABDAC
                                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0069D783), ref: 006ABDBD
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006ABDC0
                                                        • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0069D783), ref: 006ABDD1
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006ABDD4
                                                        • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0069D783), ref: 006ABDE5
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006ABDE8
                                                        • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0069D783), ref: 006ABDF5
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006ABDF8
                                                        • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0069D783), ref: 006ABE06
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006ABE09
                                                        • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0069D783), ref: 006ABE16
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006ABE19
                                                        • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0069D783), ref: 006ABE2B
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006ABE2E
                                                        • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0069D783), ref: 006ABE3B
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006ABE3E
                                                        • LoadLibraryA.KERNELBASE(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0069D783), ref: 006ABE50
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006ABE53
                                                        • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0069D783), ref: 006ABE60
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006ABE63
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$HandleLibraryLoadModule
                                                        • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                        • API String ID: 384173800-625181639
                                                        • Opcode ID: 4fee67e7ec1bcf300118a4537c7a7a624a7587b836ca03c53fdade11a9b45d58
                                                        • Instruction ID: 33fa624d95203ca431653ef829da9e1f83cc4f3834d1ea4eef556953b4b83ad1
                                                        • Opcode Fuzzy Hash: 4fee67e7ec1bcf300118a4537c7a7a624a7587b836ca03c53fdade11a9b45d58
                                                        • Instruction Fuzzy Hash: 353132E0E4135CBADA207BB6DC4DC7B7E9ED940B983026916B704D7251DFBCD9008EA8
                                                        Function 0069E54F Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 88sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 006A24B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 006A24D7
                                                          • Part of subcall function 006A24B7: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,007042F8), ref: 006A24F5
                                                          • Part of subcall function 006A24B7: RegCloseKey.KERNELBASE(?), ref: 006A2500
                                                        • Sleep.KERNELBASE(00000BB8), ref: 0069E603
                                                        • ExitProcess.KERNEL32 ref: 0069E672
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseExitOpenProcessQuerySleepValue
                                                        • String ID: 5.3.0 Pro$hHgo$override$pth_unenc$Bp
                                                        • API String ID: 2281282204-3446747417
                                                        • Opcode ID: 6b3796812b547033cc60a5ed359d6040f509bb7aa0dce661fa3cce312e2e1011
                                                        • Instruction ID: 8d197f72b6be4edbccba6a2d29b08e5d06a10f6521791a4d10788026fc301a0c
                                                        • Opcode Fuzzy Hash: 6b3796812b547033cc60a5ed359d6040f509bb7aa0dce661fa3cce312e2e1011
                                                        • Instruction Fuzzy Hash: 06210821B402056BDA887778C82BA3E359F9B83714F90001CF9055BAC7EE658E0087DB
                                                        Function 006999E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1306 6999e4-6999fd 1307 6999ff-699a19 GetModuleHandleA SetWindowsHookExA 1306->1307 1308 699a63-699a73 GetMessageA 1306->1308 1307->1308 1311 699a1b-699a61 GetLastError call 6aad46 call 694c9e call 691f66 call 6aa686 call 691eea 1307->1311 1309 699a8f 1308->1309 1310 699a75-699a8d TranslateMessage DispatchMessageA 1308->1310 1312 699a91-699a96 1309->1312 1310->1308 1310->1309 1311->1312
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00699A01
                                                        • SetWindowsHookExA.USER32(0000000D,006999D0,00000000), ref: 00699A0F
                                                        • GetLastError.KERNEL32 ref: 00699A1B
                                                          • Part of subcall function 006AA686: GetLocalTime.KERNEL32(00000000), ref: 006AA6A0
                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00699A6B
                                                        • TranslateMessage.USER32(?), ref: 00699A7A
                                                        • DispatchMessageA.USER32(?), ref: 00699A85
                                                        Strings
                                                        • Keylogger initialization failure: error , xrefs: 00699A32
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                        • String ID: Keylogger initialization failure: error
                                                        • API String ID: 3219506041-952744263
                                                        • Opcode ID: 0503fa0a119c98632f0fe3f805e279a5c06bb557a9a65a8e8c835eb9d3cb0cd0
                                                        • Instruction ID: 72d93cb3114526b951b7dd8979d44d6316557671c8ec4557c5822afe18d92de9
                                                        • Opcode Fuzzy Hash: 0503fa0a119c98632f0fe3f805e279a5c06bb557a9a65a8e8c835eb9d3cb0cd0
                                                        • Instruction Fuzzy Hash: 4A11C132604345AFCB50BBBD9C4A86B77EEEB95710B10052EF885C6640EB20DA01CBB2
                                                        Function 0069455B Relevance: 4.5, APIs: 3, Instructions: 28synchronizationnetworkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,0069460E,00000000,?,?), ref: 0069456A
                                                        • SetEvent.KERNEL32(?,?,?,0069460E,00000000,?,?), ref: 00694588
                                                        • recv.WS2_32(?,?,?,00000000), ref: 0069459F
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: EventObjectSingleWaitrecv
                                                        • String ID:
                                                        • API String ID: 311754179-0
                                                        • Opcode ID: 2cf95625242327cdbef3831b46859c14bf75c8bf62f0487fae94dd87fad2bb23
                                                        • Instruction ID: ed564bd3db1242bbcb12b174fc66d04f52990c29fe66a6b8f519ccf7a3b34f09
                                                        • Opcode Fuzzy Hash: 2cf95625242327cdbef3831b46859c14bf75c8bf62f0487fae94dd87fad2bb23
                                                        • Instruction Fuzzy Hash: 91F08276108212BFD7064B64EC08E4AFBA7FF88720F10861AF610526A08B72AC21DB61
                                                        Function 006AA7A2 Relevance: 1.5, APIs: 1, Instructions: 40COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetUserNameW.ADVAPI32(?,0069DFC3), ref: 006AA7D7
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: NameUser
                                                        • String ID:
                                                        • API String ID: 2645101109-0
                                                        • Opcode ID: 98545b600ddfcbcb4a3dc3220cce6b6c6b190f458a362f38df82e9a9daf94f96
                                                        • Instruction ID: 55cd7e2453ee10b9dbab3c6c138a7a391bcc9ccaf68d6db70778000a46364c3c
                                                        • Opcode Fuzzy Hash: 98545b600ddfcbcb4a3dc3220cce6b6c6b190f458a362f38df82e9a9daf94f96
                                                        • Instruction Fuzzy Hash: 6C01627290011DABDF41EB90DC45EDDBBBDEF44304F10016AB401B7195EFB0AB898B98
                                                        Function 0069E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocaleInfoA.KERNELBASE(00000800,0000005A,00000000,00000003,?,?,?,006A45AD,00703EE8,00704A10,00703EE8,00000000,00703EE8,?,00703EE8,5.3.0 Pro), ref: 0069E68D
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InfoLocale
                                                        • String ID:
                                                        • API String ID: 2299586839-0
                                                        • Opcode ID: 5b97fcf9fba29430081f5b047fc9fa747b5b8f455ed1034941ffd27e78c36fac
                                                        • Instruction ID: cf35229d77227157df993f53ea8efe565a6a36183784ca6aeb534efd37dbf2e4
                                                        • Opcode Fuzzy Hash: 5b97fcf9fba29430081f5b047fc9fa747b5b8f455ed1034941ffd27e78c36fac
                                                        • Instruction Fuzzy Hash: 15D05E6070021D7BEA109281DC0AE9A7A9CE701BA2F000155BA01DB2C0E9A0AF0086E1
                                                        Function 0069D767 Relevance: 95.3, APIs: 13, Strings: 41, Instructions: 799COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 5 69d767-69d7e9 call 6abce3 GetModuleFileNameW call 69e168 call 691fbd * 2 call 6aafc3 call 69e8bd call 691d8c call 6ce820 22 69d7eb-69d830 call 69e986 call 691d64 call 691e8f call 69fcba call 69e937 call 69e155 5->22 23 69d835-69d8fd call 691d64 call 691e8f call 691d64 call 694cbf call 695ce6 call 691eef call 691eea * 2 call 691d64 call 691ebd call 69541d call 691d64 call 694bb1 call 691d64 call 694bb1 5->23 49 69dc96-69dca7 call 691eea 22->49 69 69d8ff-69d94a call 6985b4 call 691eef call 691eea call 691e8f call 6a24b7 23->69 70 69d950-69d96b call 691d64 call 69b125 23->70 69->70 101 69e134-69e154 call 691e8f call 6a2902 call 6a12b5 69->101 80 69d96d-69d98c call 691e8f call 6a24b7 70->80 81 69d9a5-69d9ac call 69bed7 70->81 80->81 97 69d98e-69d9a4 call 691e8f call 6a2902 80->97 89 69d9ae-69d9b0 81->89 90 69d9b5-69d9bc 81->90 93 69dc95 89->93 94 69d9be 90->94 95 69d9c0-69d9cc call 6aa463 90->95 93->49 94->95 105 69d9ce-69d9d0 95->105 106 69d9d5-69d9d9 95->106 97->81 105->106 108 69da18-69da2b call 691d64 call 691e8f 106->108 109 69d9db call 69697b 106->109 127 69da2d call 6969ba 108->127 128 69da32-69daba call 691d64 call 6aae08 call 691e18 call 691e13 call 691d64 call 691e8f call 691d64 call 691e8f call 691d64 call 691e8f call 691d64 call 691e8f 108->128 117 69d9e0-69d9e2 109->117 120 69d9ee-69da01 call 691d64 call 691e8f 117->120 121 69d9e4-69d9e9 call 69699d call 6964d0 117->121 120->108 138 69da03-69da09 120->138 121->120 127->128 163 69dabc-69dad5 call 691d64 call 691e8f call 6ca611 128->163 164 69db22-69db26 128->164 138->108 139 69da0b-69da11 138->139 139->108 141 69da13 call 6964d0 139->141 141->108 163->164 191 69dad7-69db1d call 691d64 call 691e8f call 691d64 call 691e8f call 69c89e call 691e18 call 691e13 163->191 166 69dcaa-69dd01 call 6c6050 call 6922f8 call 691e8f * 2 call 6a265d call 6982d7 164->166 167 69db2c-69db33 164->167 222 69dd06-69dd5c call 691d64 call 691e8f call 691f66 call 691e8f call 6a26d2 call 691d64 call 691e8f call 6ca5e7 166->222 169 69dbb1-69dbbb call 6982d7 167->169 170 69db35-69dbaf call 691d64 call 691e8f call 691d64 call 691e8f call 691d64 call 691e8f call 691d64 call 691e8f call 691d64 call 691e8f call 69bc67 167->170 177 69dbc0-69dbe4 call 6922f8 call 6c38c8 169->177 170->177 198 69dbf3 177->198 199 69dbe6-69dbf1 call 6c6050 177->199 191->164 204 69dbf5-69dc40 call 691e07 call 6ce349 call 6922f8 call 691e8f call 6922f8 call 691e8f call 6a28a2 198->204 199->204 259 69dc45-69dc6a call 6c38d1 call 691d64 call 69b125 204->259 273 69dd79-69dd7b 222->273 274 69dd5e 222->274 259->222 272 69dc70-69dc91 call 691d64 call 6aae08 call 69e219 259->272 272->222 292 69dc93 272->292 275 69dd7d-69dd7f 273->275 276 69dd81 273->276 278 69dd60-69dd77 call 6abeb0 CreateThread 274->278 275->278 279 69dd87-69de66 call 691f66 * 2 call 6aa686 call 691d64 call 691e8f call 691d64 call 691e8f call 691d64 call 691e8f call 6ca5e7 call 691d64 call 691e8f call 691d64 call 691e8f call 691d64 call 691e8f call 691d64 call 691e8f StrToIntA call 699517 call 691d64 call 691e8f 276->279 278->279 330 69de68-69de9f call 6c360d call 691d64 call 691e8f CreateThread 279->330 331 69dea1 279->331 292->93 332 69dea3-69debb call 691d64 call 691e8f 330->332 331->332 343 69def9-69df0c call 691d64 call 691e8f 332->343 344 69debd-69def4 call 6c360d call 691d64 call 691e8f CreateThread 332->344 354 69df6c-69df7f call 691d64 call 691e8f 343->354 355 69df0e-69df67 call 691d64 call 691e8f call 691d64 call 691e8f call 69c854 call 691e18 call 691e13 CreateThread 343->355 344->343 365 69dfba-69dfde call 6aa7a2 call 691e18 call 691e13 354->365 366 69df81-69dfb5 call 691d64 call 691e8f call 691d64 call 691e8f call 6ca5e7 call 69b95c 354->366 355->354 388 69dfe0-69dfe1 SetProcessDEPPolicy 365->388 389 69dfe3-69dff6 CreateThread 365->389 366->365 388->389 390 69dff8-69e002 CreateThread 389->390 391 69e004-69e00b 389->391 390->391 394 69e019-69e020 391->394 395 69e00d-69e017 CreateThread 391->395 398 69e033-69e038 394->398 399 69e022-69e025 394->399 395->394 404 69e03d-69e06e call 691f66 call 694c9e call 691f66 call 6aa686 call 691eea 398->404 401 69e073-69e08e call 691e8f call 6a246e 399->401 402 69e027-69e031 399->402 413 69e12a-69e12f call 69cbac call 6a3fd4 401->413 414 69e094-69e0d4 call 6aae08 call 691e07 call 6a2584 call 691e13 call 691e07 401->414 402->404 404->401 413->101 433 69e0ed-69e0f2 DeleteFileW 414->433 434 69e0f4-69e125 call 6aae08 call 691e07 call 6a297a call 691e13 * 2 433->434 435 69e0d6-69e0d9 433->435 434->413 435->434 436 69e0db-69e0e8 Sleep call 691e07 435->436 436->433
                                                        APIs
                                                          • Part of subcall function 006ABCE3: LoadLibraryA.KERNELBASE(Psapi,GetProcessImageFileNameW,?,?,?,?,0069D783), ref: 006ABCF8
                                                          • Part of subcall function 006ABCE3: GetProcAddress.KERNEL32(00000000), ref: 006ABD01
                                                          • Part of subcall function 006ABCE3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0069D783), ref: 006ABD18
                                                          • Part of subcall function 006ABCE3: GetProcAddress.KERNEL32(00000000), ref: 006ABD1B
                                                          • Part of subcall function 006ABCE3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0069D783), ref: 006ABD2D
                                                          • Part of subcall function 006ABCE3: GetProcAddress.KERNEL32(00000000), ref: 006ABD30
                                                          • Part of subcall function 006ABCE3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0069D783), ref: 006ABD41
                                                          • Part of subcall function 006ABCE3: GetProcAddress.KERNEL32(00000000), ref: 006ABD44
                                                          • Part of subcall function 006ABCE3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0069D783), ref: 006ABD55
                                                          • Part of subcall function 006ABCE3: GetProcAddress.KERNEL32(00000000), ref: 006ABD58
                                                          • Part of subcall function 006ABCE3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0069D783), ref: 006ABD65
                                                          • Part of subcall function 006ABCE3: GetProcAddress.KERNEL32(00000000), ref: 006ABD68
                                                          • Part of subcall function 006ABCE3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0069D783), ref: 006ABD75
                                                          • Part of subcall function 006ABCE3: GetProcAddress.KERNEL32(00000000), ref: 006ABD78
                                                          • Part of subcall function 006ABCE3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0069D783), ref: 006ABD85
                                                          • Part of subcall function 006ABCE3: GetProcAddress.KERNEL32(00000000), ref: 006ABD88
                                                          • Part of subcall function 006ABCE3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0069D783), ref: 006ABD99
                                                          • Part of subcall function 006ABCE3: GetProcAddress.KERNEL32(00000000), ref: 006ABD9C
                                                          • Part of subcall function 006ABCE3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0069D783), ref: 006ABDA9
                                                          • Part of subcall function 006ABCE3: GetProcAddress.KERNEL32(00000000), ref: 006ABDAC
                                                          • Part of subcall function 006ABCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0069D783), ref: 006ABDBD
                                                          • Part of subcall function 006ABCE3: GetProcAddress.KERNEL32(00000000), ref: 006ABDC0
                                                          • Part of subcall function 006ABCE3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0069D783), ref: 006ABDD1
                                                          • Part of subcall function 006ABCE3: GetProcAddress.KERNEL32(00000000), ref: 006ABDD4
                                                          • Part of subcall function 006ABCE3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0069D783), ref: 006ABDE5
                                                          • Part of subcall function 006ABCE3: GetProcAddress.KERNEL32(00000000), ref: 006ABDE8
                                                          • Part of subcall function 006ABCE3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0069D783), ref: 006ABDF5
                                                          • Part of subcall function 006ABCE3: GetProcAddress.KERNEL32(00000000), ref: 006ABDF8
                                                          • Part of subcall function 006ABCE3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0069D783), ref: 006ABE06
                                                        • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\IXCbn4ZcdS.exe,00000104), ref: 0069D790
                                                          • Part of subcall function 0069FCBA: __EH_prolog.LIBCMT ref: 0069FCBF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                        • String ID: (Cp$(Cp$0Dp$@Cp$@Cp$Access Level: $Administrator$C:\Users\user\Desktop\IXCbn4ZcdS.exe$Exe$Inj$Remcos Agent initialized$Software\$User$XCp$XCp$XCp$XCp$XCp$XCp$XCp$XCp$XCp$XCp$XCp$XCp$XCp$XCp$XCp$XCp$`=p$dCp$del$del$exepath$licence$license_code.txt$Bp$Bp$Bp$Bp$Bp
                                                        • API String ID: 2830904901-3472742713
                                                        • Opcode ID: e4bfafb3f5108bf829d7cf49dac6f5960fbf2ed0f65eef6ee285a7b2d14b233f
                                                        • Instruction ID: 2747f89b475a12fb5fe6d720031163ea35849281db89d9271d915fd04ea72cc9
                                                        • Opcode Fuzzy Hash: e4bfafb3f5108bf829d7cf49dac6f5960fbf2ed0f65eef6ee285a7b2d14b233f
                                                        • Instruction Fuzzy Hash: 2D32E260B043466BEE99B7748C67A7E369F8F83740F50057DB5029FAC2DE688D05835A
                                                        Function 006A3FD4 Relevance: 48.1, APIs: 5, Strings: 22, Instructions: 813sleepnetworkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 447 6a3fd4-6a401f call 691faa call 6aaa73 call 691faa call 691d64 call 691e8f call 6ca5e7 460 6a402e-6a407c call 691f66 call 691d64 call 691fbd call 6aafc3 call 694262 call 691d64 call 69b125 447->460 461 6a4021-6a4028 Sleep 447->461 476 6a407e-6a40ed call 691d64 call 6922f8 call 691d64 call 691e8f call 691d64 call 6922f8 call 691d64 call 691e8f call 691d64 call 6922f8 call 691d64 call 691e8f call 694101 460->476 477 6a40f0-6a418a call 691f66 call 691d64 call 691fbd call 6aafc3 call 691d64 * 2 call 6985b4 call 6927cb call 691eef call 691eea * 2 call 691d64 call 695422 460->477 461->460 476->477 530 6a419a-6a41a1 477->530 531 6a418c-6a4198 477->531 532 6a41a6-6a4242 call 69541d call 694cbf call 695ce6 call 6927cb call 691f66 call 6aa686 call 691eea * 2 call 691d64 call 691e8f call 691d64 call 691e8f call 6a3f9a 530->532 531->532 559 6a428f-6a429d call 6941f1 532->559 560 6a4244-6a428a WSAGetLastError call 6abc76 call 694c9e call 691f66 call 6aa686 call 691eea 532->560 565 6a42ca-6a42df call 694915 call 69428c 559->565 566 6a429f-6a42c5 call 691f66 * 2 call 6aa686 559->566 580 6a4b54-6a4b66 call 6947eb call 6920b4 560->580 565->580 581 6a42e5-6a4432 call 691d64 * 2 call 694cbf call 695ce6 call 6927cb call 695ce6 call 6927cb call 691f66 call 6aa686 call 691eea * 4 call 6aa96d call 6a3683 call 6982dc call 6d0c51 call 691d64 call 691fbd call 6922f8 call 691e8f * 2 call 6a265d 565->581 566->580 596 6a4b68-6a4b88 call 691d64 call 691e8f call 6ca5e7 Sleep 580->596 597 6a4b8e-6a4b96 call 691d8c 580->597 647 6a4446-6a446d call 691e8f call 6a2513 581->647 648 6a4434-6a4441 call 69541d 581->648 596->597 597->477 654 6a446f-6a4471 647->654 655 6a4474-6a4abb call 693b40 call 69cbf1 call 6aadee call 6aaec8 call 6aad46 call 691d64 GetTickCount call 6aad46 call 6aaca0 call 6aad46 * 2 call 6aac52 call 6aaec8 * 5 call 69e679 call 6aaec8 call 6927ec call 69275c call 6927cb call 69275c call 6927cb * 3 call 69275c call 6927cb call 695ce6 call 6927cb call 695ce6 call 6927cb call 69275c call 6927cb call 69275c call 6927cb call 69275c call 6927cb call 69275c call 6927cb call 69275c call 6927cb call 69275c call 6927cb call 69275c call 6927cb call 695ce6 call 6927cb * 5 call 69275c call 6927cb call 69275c call 6927cb * 7 call 69275c call 694468 call 691eea * 50 call 691e13 call 691eea * 6 call 691e13 call 6945d5 647->655 648->647 654->655 900 6a4ac0-6a4ac7 655->900 901 6a4adb-6a4ae2 900->901 902 6a4ac9-6a4ad0 900->902 903 6a4aee-6a4b20 call 695415 call 691f66 * 2 call 6aa686 901->903 904 6a4ae4-6a4ae9 call 69a767 901->904 902->901 905 6a4ad2-6a4ad4 902->905 916 6a4b22-6a4b2e CreateThread 903->916 917 6a4b34-6a4b4f call 691eea * 2 call 691e13 903->917 904->903 905->901 916->917 917->580
                                                        APIs
                                                        • Sleep.KERNEL32(00000000,00000029,007042F8,?,00000000), ref: 006A4028
                                                        • WSAGetLastError.WS2_32 ref: 006A4249
                                                        • Sleep.KERNEL32(00000000,00000002), ref: 006A4B88
                                                          • Part of subcall function 006AA686: GetLocalTime.KERNEL32(00000000), ref: 006AA6A0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Sleep$ErrorLastLocalTime
                                                        • String ID: | $%I64u$5.3.0 Pro$@Cp$C:\Users\user\Desktop\IXCbn4ZcdS.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $XCp$XCp$XCp$`=p$dCp$hlight$name$>p$>p$Bp
                                                        • API String ID: 524882891-866857256
                                                        • Opcode ID: 592c187deded14db4a9c81fc1df0d5bfd9f13e3a40872983becb64202b3d90f8
                                                        • Instruction ID: 04e15d4361e824d6292077fe2580ac753c73206abbe4fe5c63df12ceef8b4e76
                                                        • Opcode Fuzzy Hash: 592c187deded14db4a9c81fc1df0d5bfd9f13e3a40872983becb64202b3d90f8
                                                        • Instruction Fuzzy Hash: 0C528F32A001199BCF59F770DC62AFE736B9FA1700F6041ADF80A6A592EF305F45CA59
                                                        Function 00699E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • Sleep.KERNELBASE(00001388), ref: 00699E62
                                                          • Part of subcall function 00699D97: CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00699E6F), ref: 00699DCD
                                                          • Part of subcall function 00699D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00699E6F), ref: 00699DDC
                                                          • Part of subcall function 00699D97: Sleep.KERNEL32(00002710,?,?,?,00699E6F), ref: 00699E09
                                                          • Part of subcall function 00699D97: CloseHandle.KERNELBASE(00000000,?,?,?,00699E6F), ref: 00699E10
                                                        • CreateDirectoryW.KERNELBASE(00000000,00000000), ref: 00699E9E
                                                        • GetFileAttributesW.KERNELBASE(00000000), ref: 00699EAF
                                                        • SetFileAttributesW.KERNELBASE(00000000,00000080), ref: 00699EC6
                                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00699F40
                                                          • Part of subcall function 006AB61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00699F65), ref: 006AB633
                                                        • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,006F5900,?,00000000,00000000,00000000,00000000,00000000), ref: 0069A049
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                        • String ID: @Cp$@Cp$XCp$XCp$xAp$xAp
                                                        • API String ID: 3795512280-2346265171
                                                        • Opcode ID: 2ecddcd974eaa568cfc811ad95f8cf89d50c7292d25edde33fda2e1eed9a0197
                                                        • Instruction ID: 5980263d38f1106db3cd299ebc566df611465a0d81f9e0e7e5d2382ce230e252
                                                        • Opcode Fuzzy Hash: 2ecddcd974eaa568cfc811ad95f8cf89d50c7292d25edde33fda2e1eed9a0197
                                                        • Instruction Fuzzy Hash: AA51B2716083455BCF88FB70C866ABF779F5FD2300F10052DF9829B9D2EE259E04869A
                                                        Function 0069428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1022 69428c-6942ad connect 1023 6943e1-6943e5 1022->1023 1024 6942b3-6942b6 1022->1024 1027 69445f 1023->1027 1028 6943e7-6943f5 WSAGetLastError 1023->1028 1025 6943da-6943dc 1024->1025 1026 6942bc-6942bf 1024->1026 1029 694461-694465 1025->1029 1030 6942eb-6942f5 call 6b0151 1026->1030 1031 6942c1-6942e8 call 694cbf call 691f66 call 6aa686 1026->1031 1027->1029 1028->1027 1032 6943f7-6943fa 1028->1032 1044 6942f7-694301 1030->1044 1045 694306-694313 call 6b0373 1030->1045 1031->1030 1034 694439-69443e 1032->1034 1035 6943fc-694437 call 6abc76 call 694c9e call 691f66 call 6aa686 call 691eea 1032->1035 1037 694443-69445c call 691f66 * 2 call 6aa686 1034->1037 1035->1027 1037->1027 1044->1037 1054 69434c-694357 call 6b0f34 1045->1054 1055 694315-694338 call 691f66 * 2 call 6aa686 1045->1055 1068 694389-694396 call 6b02ea 1054->1068 1069 694359-694387 call 691f66 * 2 call 6aa686 call 6b0592 1054->1069 1084 69433b-694347 call 6b0191 1055->1084 1081 694398-6943bb call 691f66 * 2 call 6aa686 1068->1081 1082 6943be-6943d7 CreateEventW * 2 1068->1082 1069->1084 1081->1082 1082->1025 1084->1027
                                                        APIs
                                                        • connect.WS2_32(?,?,?), ref: 006942A5
                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0069192B), ref: 006943CB
                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0069192B), ref: 006943D5
                                                        • WSAGetLastError.WS2_32(?,?,?,0069192B), ref: 006943E7
                                                          • Part of subcall function 006AA686: GetLocalTime.KERNEL32(00000000), ref: 006AA6A0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                        • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                        • API String ID: 994465650-2151626615
                                                        • Opcode ID: d01110d1f8875a5806aa435b55952fa78895839ccb8ad3c88fd92d1f2d227f19
                                                        • Instruction ID: 60c868c06336656e70e6b4f3800973e0a1fc01965a7dfa4394938eccc9980608
                                                        • Opcode Fuzzy Hash: d01110d1f8875a5806aa435b55952fa78895839ccb8ad3c88fd92d1f2d227f19
                                                        • Instruction Fuzzy Hash: D0412861B00A0DA79F44B7BD8D5B97D7A9FAB42360B81010DE6024BE83EF51AD1187D7
                                                        Function 0069A3F4 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 158sleepCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • __Init_thread_footer.LIBCMT ref: 0069A456
                                                        • Sleep.KERNELBASE(000001F4), ref: 0069A461
                                                        • GetForegroundWindow.USER32 ref: 0069A467
                                                        • GetWindowTextLengthW.USER32(00000000), ref: 0069A470
                                                        • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0069A4A4
                                                        • Sleep.KERNEL32(000003E8), ref: 0069A574
                                                          • Part of subcall function 00699D58: SetEvent.KERNEL32(?,?,00000000,0069A91C,00000000), ref: 00699D84
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                        • String ID: [${ User has been idle for $ minutes }$]
                                                        • API String ID: 911427763-3954389425
                                                        • Opcode ID: 21ee9dedd3e421cc4871dd669116c2d89b4eabd713531eaa9266b3aacb1906e8
                                                        • Instruction ID: 85538484428f7a0e9e5992b6cd4feb6bf6f2876ab36c8db223a4faf9d05ce65c
                                                        • Opcode Fuzzy Hash: 21ee9dedd3e421cc4871dd669116c2d89b4eabd713531eaa9266b3aacb1906e8
                                                        • Instruction Fuzzy Hash: 765122316082419BCF54FB70D89AABE77DFAF84310F50092DF54286AD1DF209E45C69B
                                                        Function 0069C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1177 69c89e-69c8c3 call 691e52 1180 69c8c9 1177->1180 1181 69c9ed-69ca13 call 691e07 GetLongPathNameW call 693b40 1177->1181 1182 69c9c9-69c9ce call 6cac0f 1180->1182 1183 69c9d8 1180->1183 1184 69c8fb-69c900 1180->1184 1185 69c9bb-69c9c0 1180->1185 1186 69c8da-69c8e8 call 6aa74b call 691e18 1180->1186 1187 69c90f-69c916 call 6ab15b 1180->1187 1188 69c8d0-69c8d5 1180->1188 1189 69c9c2-69c9c7 1180->1189 1190 69c905-69c90a 1180->1190 1202 69ca18-69ca85 call 693b40 call 69cc37 call 692860 * 2 call 691e13 * 5 1181->1202 1199 69c9d3-69c9d6 1182->1199 1192 69c9dd-69c9e2 call 6cac0f 1183->1192 1184->1192 1185->1192 1211 69c8ed 1186->1211 1203 69c918-69c968 call 693b40 call 6cac0f call 693b40 call 692860 call 691e18 call 691e13 * 2 1187->1203 1204 69c96a-69c9b6 call 693b40 call 6cac0f call 693b40 call 692860 call 691e18 call 691e13 * 2 1187->1204 1188->1192 1189->1192 1190->1192 1205 69c9e3-69c9e8 call 6982d7 1192->1205 1199->1183 1199->1205 1216 69c8f1-69c8f6 call 691e13 1203->1216 1204->1211 1205->1181 1211->1216 1216->1181
                                                        APIs
                                                        • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0069CA04
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LongNamePath
                                                        • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                        • API String ID: 82841172-425784914
                                                        • Opcode ID: 2c54c83b78e9cf791fd00ade763221c0a67a635eeec771a212188da49d5f3f89
                                                        • Instruction ID: 70e4a8bea075e4d90c8e70e0dd85953b54fe46ced5a638bb7f7f69ad3ad1a167
                                                        • Opcode Fuzzy Hash: 2c54c83b78e9cf791fd00ade763221c0a67a635eeec771a212188da49d5f3f89
                                                        • Instruction Fuzzy Hash: 404185321042059BCA54FB20DD92CBFB7EFAE51720F10052EB542969E1EE609E49C65A
                                                        Function 006AA51B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 006AA53E
                                                        • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 006AA554
                                                        • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 006AA56D
                                                        • InternetCloseHandle.WININET(00000000), ref: 006AA5B3
                                                        • InternetCloseHandle.WININET(00000000), ref: 006AA5B6
                                                        Strings
                                                        • http://geoplugin.net/json.gp, xrefs: 006AA54E
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Internet$CloseHandleOpen$FileRead
                                                        • String ID: http://geoplugin.net/json.gp
                                                        • API String ID: 3121278467-91888290
                                                        • Opcode ID: 18e634f001c58e0d912be88b8def432597e4a0bad791b7471fb7e30f22cf7363
                                                        • Instruction ID: 1578771746f0c4066dba9cb2632b489bbdaff3c4384657a22387557bb351ff73
                                                        • Opcode Fuzzy Hash: 18e634f001c58e0d912be88b8def432597e4a0bad791b7471fb7e30f22cf7363
                                                        • Instruction Fuzzy Hash: 1011043110A3166BC724AA55DC49EBB7FEEEF86360F00043DF805D2181CB549C08C6B6
                                                        Function 006AA463 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 59COMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                          • Part of subcall function 006AB15B: GetCurrentProcess.KERNEL32(?,?,?,0069C914,WinDir,00000000,00000000), ref: 006AB16C
                                                          • Part of subcall function 006A2513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 006A2537
                                                          • Part of subcall function 006A2513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 006A2554
                                                          • Part of subcall function 006A2513: RegCloseKey.KERNELBASE(?), ref: 006A255F
                                                        • StrToIntA.SHLWAPI(00000000,006FBC48,?,00000000,00000000,00704358,00000003,Exe,00000000,0000000E,00000000,006F556C,00000003,00000000), ref: 006AA4D9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCurrentOpenProcessQueryValue
                                                        • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                        • API String ID: 1866151309-2070987746
                                                        • Opcode ID: 17275075aa8fbc5fe8a857781cd184a84e4807e0ecec27663b89b026a8968df1
                                                        • Instruction ID: fb2142393e816059fcd6c3b0627e9359cd0cf4c4efefb53a350edbc6ce6606ad
                                                        • Opcode Fuzzy Hash: 17275075aa8fbc5fe8a857781cd184a84e4807e0ecec27663b89b026a8968df1
                                                        • Instruction Fuzzy Hash: 37116FA0A002066BDB44F7E4CC6BC7F3A5F9B92300F40153DF602975D2EF544E4687A9
                                                        Function 00699D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1365 699d97-699da7 1366 699dad-699daf 1365->1366 1367 699e44-699e47 1365->1367 1368 699db2-699dd8 call 691e07 CreateFileW 1366->1368 1371 699e18 1368->1371 1372 699dda-699de8 GetFileSize 1368->1372 1373 699e1b-699e1f 1371->1373 1374 699dea 1372->1374 1375 699e0f-699e16 CloseHandle 1372->1375 1373->1368 1376 699e21-699e24 1373->1376 1377 699dec-699df2 1374->1377 1378 699df4-699dfb 1374->1378 1375->1373 1376->1367 1381 699e26-699e2d 1376->1381 1377->1375 1377->1378 1379 699dfd-699dff call 69a7f0 1378->1379 1380 699e04-699e09 Sleep 1378->1380 1379->1380 1380->1375 1381->1367 1383 699e2f-699e3f call 6982dc call 6998a5 1381->1383 1383->1367
                                                        APIs
                                                        • CreateFileW.KERNELBASE(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00699E6F), ref: 00699DCD
                                                        • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00699E6F), ref: 00699DDC
                                                        • Sleep.KERNEL32(00002710,?,?,?,00699E6F), ref: 00699E09
                                                        • CloseHandle.KERNELBASE(00000000,?,?,?,00699E6F), ref: 00699E10
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseCreateHandleSizeSleep
                                                        • String ID: `Ap
                                                        • API String ID: 1958988193-250682698
                                                        • Opcode ID: 367bb922672aa6e5fbbeac4a6cc40f206d167cebc3aecb6f29366b90a8576d9a
                                                        • Instruction ID: 0820d8683b25398a16575ffd897dde4c6e12351fbd56f84afe2a0c1d5ad00858
                                                        • Opcode Fuzzy Hash: 367bb922672aa6e5fbbeac4a6cc40f206d167cebc3aecb6f29366b90a8576d9a
                                                        • Instruction Fuzzy Hash: 65113671204780AFEF30E76CA8C9A6E3BAFAF56310F04050CF28147E91DA245CA483B9
                                                        Function 00694468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92synchronizationnetworkCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • send.WS2_32(?,00000000,00000000,00000000), ref: 006944FD
                                                        • WaitForSingleObject.KERNEL32(?,00000000,LjL,?,?,00000004,?,?,00000004,00703EE8,007045A8,00000000), ref: 0069450E
                                                        • SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00703EE8,007045A8,00000000,?,?,?,?,?,006A4CE9), ref: 0069453C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: EventObjectSingleWaitsend
                                                        • String ID: LjL
                                                        • API String ID: 3963590051-2997353284
                                                        • Opcode ID: 8dd0e7a9b1a527697ed44858991f4649b91b6340adc9aa711dca4cf0dd13ebcf
                                                        • Instruction ID: 7a2183ab7cacf7bbb3195a3b7112021b07918ec1da7d1ebc54ab15a2b2efeb08
                                                        • Opcode Fuzzy Hash: 8dd0e7a9b1a527697ed44858991f4649b91b6340adc9aa711dca4cf0dd13ebcf
                                                        • Instruction Fuzzy Hash: AD21527290011ABBDF05ABF0DC96DEE776EFF14350B00011DF916A6991EE34AA05C6A4
                                                        Function 006998A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        APIs
                                                        • CreateThread.KERNEL32(00000000,00000000,006999A9,?,00000000,00000000), ref: 0069992A
                                                        • CreateThread.KERNEL32(00000000,00000000,00699993,?,00000000,00000000), ref: 0069993A
                                                        • CreateThread.KERNEL32(00000000,00000000,006999B5,?,00000000,00000000), ref: 00699946
                                                          • Part of subcall function 0069A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0069A884
                                                          • Part of subcall function 0069A876: wsprintfW.USER32 ref: 0069A905
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateThread$LocalTimewsprintf
                                                        • String ID: Offline Keylogger Started
                                                        • API String ID: 465354869-4114347211
                                                        • Opcode ID: b0742f9ecd76c4046ab6a32f08fd117366e1b86a1fb19b080a0d442b49d2013c
                                                        • Instruction ID: 6af33334dd2bcfbdeae1a9988e9fd47c20d252804fe141c38dbe07ead20789d5
                                                        • Opcode Fuzzy Hash: b0742f9ecd76c4046ab6a32f08fd117366e1b86a1fb19b080a0d442b49d2013c
                                                        • Instruction Fuzzy Hash: 5111CAB160060D7EDA20BB798C87CBF7A9FDA823A4B44051DF94606942DA605E04C6F7
                                                        Function 00694915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                        Download Yara Rule

                                                        Control-flow Graph

                                                        • Executed
                                                        • Not Executed
                                                        control_flow_graph 1445 694915-694924 1446 69492a-694931 1445->1446 1447 6949b1 1445->1447 1449 694939-694940 1446->1449 1450 694933-694937 1446->1450 1448 6949b3-6949b7 1447->1448 1451 694987-6949af CreateEventA CreateThread 1449->1451 1452 694942-694982 GetLocalTime call 6aad46 call 694c9e call 691f66 call 6aa686 call 691eea 1449->1452 1450->1451 1451->1448 1452->1451
                                                        APIs
                                                        • GetLocalTime.KERNEL32(00000001,00703EE8,007045A8,00000000,?,?,?,?,?,006A4D8A,?,00000001), ref: 00694946
                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00703EE8,007045A8,00000000,?,?,?,?,?,006A4D8A,?,00000001), ref: 00694994
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_00004B1D,?,00000000,00000000), ref: 006949A7
                                                        Strings
                                                        • KeepAlive | Enabled | Timeout: , xrefs: 0069495C
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Create$EventLocalThreadTime
                                                        • String ID: KeepAlive | Enabled | Timeout:
                                                        • API String ID: 2532271599-1507639952
                                                        • Opcode ID: aec1ff173370eccceb492b19cbca304ded4b179c64743bdbc335a07d820c9929
                                                        • Instruction ID: a8122bd5a6bafa3f0a687c7d87151725f6569dc6114ef1b4bf69d891d9ce2ce5
                                                        • Opcode Fuzzy Hash: aec1ff173370eccceb492b19cbca304ded4b179c64743bdbc335a07d820c9929
                                                        • Instruction Fuzzy Hash: F41106319042987ACF11BBBA8C49FDBBF9E9F47364F44401AF50546641CB749846CBF6
                                                        Function 006A26D2 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 006A26E1
                                                        • RegSetValueExA.KERNELBASE(?,?,00000000,?,00000000,00000000,007042F8,?,?,0069E5FB,hHgo,5.3.0 Pro), ref: 006A2709
                                                        • RegCloseKey.KERNELBASE(?,?,?,0069E5FB,hHgo,5.3.0 Pro), ref: 006A2714
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCreateValue
                                                        • String ID: pth_unenc
                                                        • API String ID: 1818849710-4028850238
                                                        • Opcode ID: f611f4a25678442cac8dcc2c8e40b0cf13a0cd4b16aa340ff4a4a698cb4a354f
                                                        • Instruction ID: c1c7433ef474c90ceb523987a0584c8cfdd5feeea757c33bdbdc9d191176cdd7
                                                        • Opcode Fuzzy Hash: f611f4a25678442cac8dcc2c8e40b0cf13a0cd4b16aa340ff4a4a698cb4a354f
                                                        • Instruction Fuzzy Hash: 03F030B2540115FBDF41AFA0EC65EEE376EEF15750F209158FD06AA150EA319F04EB50
                                                        Function 006A27D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegCreateKeyA.ADVAPI32(80000001,00000000,TUo), ref: 006A27E3
                                                        • RegSetValueExA.KERNELBASE(TUo,000000AF,00000000,00000004,00000001,00000004,?,?,?,0069B94C,006F60E0,00000001,000000AF,006F5554), ref: 006A27FE
                                                        • RegCloseKey.ADVAPI32(?,?,?,?,0069B94C,006F60E0,00000001,000000AF,006F5554), ref: 006A2809
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCreateValue
                                                        • String ID: TUo
                                                        • API String ID: 1818849710-2385873574
                                                        • Opcode ID: 364c5b65b496abe17a29498c541d877d1edf8afa40a228931798a2dac210ee23
                                                        • Instruction ID: ab7c0ea48106bd76857858b071dba0463a87d7948b20d7a0a97fd572aee997db
                                                        • Opcode Fuzzy Hash: 364c5b65b496abe17a29498c541d877d1edf8afa40a228931798a2dac210ee23
                                                        • Instruction Fuzzy Hash: E7E06DB1640208BBEF219FA09C06FDE7BA9EB05B94F005050FB15EA290D2718E44EBA0
                                                        Function 00694688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00694778
                                                        • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0069478C
                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00694797
                                                        • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 006947A0
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                        • String ID:
                                                        • API String ID: 3360349984-0
                                                        • Opcode ID: 6794fc55f16887751b636a9a8fbff61d7be9a02623f3a2b277ebf9e05f8e8a24
                                                        • Instruction ID: e418956a5c22c0d6b58703a8ee420a43fe2cb2ed96f09705574fbf6733a8e7fb
                                                        • Opcode Fuzzy Hash: 6794fc55f16887751b636a9a8fbff61d7be9a02623f3a2b277ebf9e05f8e8a24
                                                        • Instruction Fuzzy Hash: B1419471508345AFCB44EB60CD55DBFB7EEAF96310F10091DF89286A91DF20DA098756
                                                        Function 006AB58F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,006F5900,00000000,00000000,0069C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 006AB5CE
                                                        • SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002), ref: 006AB5EB
                                                        • WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 006AB5FF
                                                        • CloseHandle.KERNELBASE(00000000), ref: 006AB60C
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseCreateHandlePointerWrite
                                                        • String ID:
                                                        • API String ID: 3604237281-0
                                                        • Opcode ID: b854fbf058929efdd65cd8533cc459d5f7ad2636a025f1a066bae1cb5008fab9
                                                        • Instruction ID: 7233bf6cecfd884419efb3b12eac77fa8e595180eeac0076b5cd555da3298ec8
                                                        • Opcode Fuzzy Hash: b854fbf058929efdd65cd8533cc459d5f7ad2636a025f1a066bae1cb5008fab9
                                                        • Instruction Fuzzy Hash: 610145712083047FE7146E28ACC8EBB739FEB43364F142629F611C62C1D7219D068E30
                                                        Function 006A4B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CountEventTick
                                                        • String ID: >p
                                                        • API String ID: 180926312-4126277341
                                                        • Opcode ID: 39659926e2d6d793d8594ec54a7125576a541a51beffb53f0e684f56aad0e217
                                                        • Instruction ID: d896b8816aa15d8b75ce708e2dbfd81929a98619a43fb70d912d9e5305d34613
                                                        • Opcode Fuzzy Hash: 39659926e2d6d793d8594ec54a7125576a541a51beffb53f0e684f56aad0e217
                                                        • Instruction Fuzzy Hash: E95195311042415BCBA4F774C8A2AFF73EB6F92710F50452DF54A5B592EF305E09C65A
                                                        Function 0069BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0069D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,006F556C,00000003,00000000), ref: 0069BEE6
                                                        • GetLastError.KERNEL32 ref: 0069BEF1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateErrorLastMutex
                                                        • String ID: (Cp
                                                        • API String ID: 1925916568-1112449968
                                                        • Opcode ID: d130012285725c52c9d5172102913b81d746f91660cc96a8052e8faaa82eef12
                                                        • Instruction ID: a7c6c5b81833b752ffe9104fa70d3939b7fab1a7ce15784f68e2569d0bd7dca2
                                                        • Opcode Fuzzy Hash: d130012285725c52c9d5172102913b81d746f91660cc96a8052e8faaa82eef12
                                                        • Instruction Fuzzy Hash: 35D012B0718301DFEB082774AC8A7293596A784702F501269B607DD5D0CB6849405511
                                                        Function 006A2513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 006A2537
                                                        • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 006A2554
                                                        • RegCloseKey.KERNELBASE(?), ref: 006A255F
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseOpenQueryValue
                                                        • String ID:
                                                        • API String ID: 3677997916-0
                                                        • Opcode ID: 424328e82a232f60fb2dd39ebf8d36501ae6f9c47d8ab5f5b8a645d9fb45fcf9
                                                        • Instruction ID: f1a20529af2bbc6882b09901d22b398a02fd111e96cb2045eb0d9f5c4c33992e
                                                        • Opcode Fuzzy Hash: 424328e82a232f60fb2dd39ebf8d36501ae6f9c47d8ab5f5b8a645d9fb45fcf9
                                                        • Instruction Fuzzy Hash: CFF081B6940118BBCF209BA5EC48DEF7FBEEB45750F004055BA06E6100D6309F45DBA0
                                                        Function 006A265D Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,007042F8), ref: 006A2679
                                                        • RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 006A2692
                                                        • RegCloseKey.KERNELBASE(00000000), ref: 006A269D
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseOpenQueryValue
                                                        • String ID:
                                                        • API String ID: 3677997916-0
                                                        • Opcode ID: 715c0e380c570ba6071523d83d3638ff93df82a19b74b69bcd7355d0bf6cc8ea
                                                        • Instruction ID: bb535a017993b08068a199ddc4fb02c20c726bed51ddff7a773bcdc20c310652
                                                        • Opcode Fuzzy Hash: 715c0e380c570ba6071523d83d3638ff93df82a19b74b69bcd7355d0bf6cc8ea
                                                        • Instruction Fuzzy Hash: B1018C7140522AFBCF21AFA1EC49DEF7F3AEF05760F004054BA0966120E7319AA5DFA0
                                                        Function 006A24B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 006A24D7
                                                        • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,007042F8), ref: 006A24F5
                                                        • RegCloseKey.KERNELBASE(?), ref: 006A2500
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseOpenQueryValue
                                                        • String ID:
                                                        • API String ID: 3677997916-0
                                                        • Opcode ID: b943db40f29cc097c10f1088b36e6facdc82673ad9a4770fe136b54462548f3e
                                                        • Instruction ID: 836aa235ad57d9174af33949bd801b4d164e00d13eb472b8bc182917fbf282b3
                                                        • Opcode Fuzzy Hash: b943db40f29cc097c10f1088b36e6facdc82673ad9a4770fe136b54462548f3e
                                                        • Instruction Fuzzy Hash: 73F03075D44208BFDF119FE4AC55FDE7BB9EB04744F104051FA05EA250D6709F549B90
                                                        Function 006A246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000000,?,?,0069B996,006F60E0), ref: 006A2485
                                                        • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0069B996,006F60E0), ref: 006A2499
                                                        • RegCloseKey.KERNELBASE(?,?,?,0069B996,006F60E0), ref: 006A24A4
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseOpenQueryValue
                                                        • String ID:
                                                        • API String ID: 3677997916-0
                                                        • Opcode ID: a55d12bfe2308a5bb056292a47db7cb32c417d774e1e3593efc768850ad4c6a4
                                                        • Instruction ID: e24a5608aa212f28cba711be0b6428c27684a076dd7886fb0856ebb1565ba675
                                                        • Opcode Fuzzy Hash: a55d12bfe2308a5bb056292a47db7cb32c417d774e1e3593efc768850ad4c6a4
                                                        • Instruction Fuzzy Hash: 2EE06571445234BBDF315BA2EC0DDDF7FADEF167A07004040FC09A6211D2218E40EAE0
                                                        Function 00699517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _wcslen
                                                        • String ID: xAp
                                                        • API String ID: 176396367-482668418
                                                        • Opcode ID: bf4ee9659b11298747caf930aa0399fd3fc894d4320f7413cece4b63fa707ca6
                                                        • Instruction ID: ca1032e64e3a6a4f918d1830f097152aeb38eab89a1dcce701bca2f77a51907c
                                                        • Opcode Fuzzy Hash: bf4ee9659b11298747caf930aa0399fd3fc894d4320f7413cece4b63fa707ca6
                                                        • Instruction Fuzzy Hash: 0611D6329002099FCF45EF64D852CEF7BBAEF25310B20452EF90257692EF34A965CB94
                                                        Function 006AA945 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GlobalMemoryStatusEx.KERNELBASE(?), ref: 006AA959
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: GlobalMemoryStatus
                                                        • String ID: @
                                                        • API String ID: 1890195054-2766056989
                                                        • Opcode ID: babf84f178bda43100fcb2354b5df55e987676aec79108281614e06c0a03f51f
                                                        • Instruction ID: 34ad41ae03190c419476d3f9e619c8c75686347cb44602aaeb295496e362cf1f
                                                        • Opcode Fuzzy Hash: babf84f178bda43100fcb2354b5df55e987676aec79108281614e06c0a03f51f
                                                        • Instruction Fuzzy Hash: D5D067F9901318DFCB20EFA8E945A8DBBFCFB48214F004529E946E3344E774E9058B94
                                                        Function 006941F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • socket.WS2_32(?,00000001,00000006), ref: 00694212
                                                          • Part of subcall function 00694262: WSAStartup.WS2_32(00000202,00000000), ref: 00694277
                                                        • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00694252
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateEventStartupsocket
                                                        • String ID:
                                                        • API String ID: 1953588214-0
                                                        • Opcode ID: 77b5e549c54bdecd34a1528fd6107bebdd3807e18e511c3dba4cbfa1e496f7bd
                                                        • Instruction ID: 62a9318c363a6288f11279cefd914f085cc113a356dccaef49a9478367223930
                                                        • Opcode Fuzzy Hash: 77b5e549c54bdecd34a1528fd6107bebdd3807e18e511c3dba4cbfa1e496f7bd
                                                        • Instruction Fuzzy Hash: 04017CB0418B809EDB358F38B845A967FE5AB19314F044A5EF1D687BA1CBB1A442CB14
                                                        Function 006D8706 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • HeapAlloc.KERNEL32(00000008,?,00000000,Bp,006D6F74,00000001,00000364,?,00692BE9,?,00692F1C,00000000,Bp,006984A8,?), ref: 006D8747
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocHeap
                                                        • String ID: Bp
                                                        • API String ID: 4292702814-1987823655
                                                        • Opcode ID: 41de82fe4e56fff4963f29a230e9e1773f67d797a96719093877ce66c9244303
                                                        • Instruction ID: fdf49bdca180d685114b053ec30c566f400bfcd9796d215556daf250b1ea281b
                                                        • Opcode Fuzzy Hash: 41de82fe4e56fff4963f29a230e9e1773f67d797a96719093877ce66c9244303
                                                        • Instruction Fuzzy Hash: 82F0B432E04225AE9B215A329C49BAE774BAB42BA0B349553E8189B790DE20DD0182E5
                                                        Function 006D6AFF Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • HeapAlloc.KERNEL32(00000000,?,00000000,Bp,006C3627,?,?,00692BE9,?,00692F1C,00000000,Bp,006984A8,?,?,007042E0), ref: 006D6B31
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocHeap
                                                        • String ID: Bp
                                                        • API String ID: 4292702814-1987823655
                                                        • Opcode ID: 2f78aa42279ca6ad0e4057c4df6bb9837cd941356c3b1450d1b888ef07647f97
                                                        • Instruction ID: 91c13a5e4ec971bb979af36dab100b4b8c4026019a6cd8559ff30670e79726ee
                                                        • Opcode Fuzzy Hash: 2f78aa42279ca6ad0e4057c4df6bb9837cd941356c3b1450d1b888ef07647f97
                                                        • Instruction Fuzzy Hash: 95E0ED31E0062967EA302A29CC01FAA3A8B8B413A0F150123FC09DA390DB61CC2581A8
                                                        Function 006AAC52 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetForegroundWindow.USER32 ref: 006AAC74
                                                        • GetWindowTextW.USER32(00000000,?,00000100), ref: 006AAC87
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Window$ForegroundText
                                                        • String ID:
                                                        • API String ID: 29597999-0
                                                        • Opcode ID: 4de36d3b6e300d1eeaf63157c6885b9b64ddc0e44d2943352d40bfcd39567b46
                                                        • Instruction ID: 667c046e38b93202432bdbe7ce422a10e4b698ad3c41e929aeef816fdd5a1695
                                                        • Opcode Fuzzy Hash: 4de36d3b6e300d1eeaf63157c6885b9b64ddc0e44d2943352d40bfcd39567b46
                                                        • Instruction Fuzzy Hash: D5E04875A0032467FB60A7649C8EFDA766D9704700F000099B519D61C2E9B09A0487E4
                                                        Function 006A3F9A Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • getaddrinfo.WS2_32(00000000,00000000,00000000,00701B28,00704358,00000000,006A4240,00000000,00000001), ref: 006A3FBC
                                                        • WSASetLastError.WS2_32(00000000), ref: 006A3FC1
                                                          • Part of subcall function 006A3E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 006A3E86
                                                          • Part of subcall function 006A3E37: LoadLibraryA.KERNEL32(?), ref: 006A3EC8
                                                          • Part of subcall function 006A3E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 006A3EE8
                                                          • Part of subcall function 006A3E37: FreeLibrary.KERNEL32(00000000), ref: 006A3EEF
                                                          • Part of subcall function 006A3E37: LoadLibraryA.KERNEL32(?), ref: 006A3F27
                                                          • Part of subcall function 006A3E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 006A3F39
                                                          • Part of subcall function 006A3E37: FreeLibrary.KERNEL32(00000000), ref: 006A3F40
                                                          • Part of subcall function 006A3E37: GetProcAddress.KERNEL32(00000000,?), ref: 006A3F4F
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                        • String ID:
                                                        • API String ID: 1170566393-0
                                                        • Opcode ID: c090fe1730cb6254d005f215ae883abf5f70c6b170e2066c0c1ef315c12d8baf
                                                        • Instruction ID: c3b06104714aff0cdacd068a5df2bf1bf3f09f0b50bf3f22e5eba5dc969e6a26
                                                        • Opcode Fuzzy Hash: c090fe1730cb6254d005f215ae883abf5f70c6b170e2066c0c1ef315c12d8baf
                                                        • Instruction Fuzzy Hash: F6D02B72300131AFE310671C9C00EBBB5DCDFA67207050227F400C7250DA584C02CBA8
                                                        Function 006DEEB5 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 006D8706: HeapAlloc.KERNEL32(00000008,?,00000000,Bp,006D6F74,00000001,00000364,?,00692BE9,?,00692F1C,00000000,Bp,006984A8,?), ref: 006D8747
                                                        • _free.LIBCMT ref: 006DEF21
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AllocHeap_free
                                                        • String ID:
                                                        • API String ID: 1080816511-0
                                                        • Opcode ID: 7b4a2f6e9a04df5b0dd70cdaf72135a4707c1be432060349675b23e62071eba1
                                                        • Instruction ID: 905f22483a5098112934715910bab74df02dd68a68402498bf5beeb2c7284f5a
                                                        • Opcode Fuzzy Hash: 7b4a2f6e9a04df5b0dd70cdaf72135a4707c1be432060349675b23e62071eba1
                                                        • Instruction Fuzzy Hash: 4F0126776003046BE331DF65C845A9AFBEAEB89370F25092EE19497380EA31A805C778
                                                        Function 00694262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WSAStartup.WS2_32(00000202,00000000), ref: 00694277
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Startup
                                                        • String ID:
                                                        • API String ID: 724789610-0
                                                        • Opcode ID: 527d39936c4366699640f2bef330c6376a81d613d11b04347cfd099d4f6519f0
                                                        • Instruction ID: 3585a10f0d5435000a69b748a5f7c8f8cfe34b8ed31f0012bfa12a2b687ae415
                                                        • Opcode Fuzzy Hash: 527d39936c4366699640f2bef330c6376a81d613d11b04347cfd099d4f6519f0
                                                        • Instruction Fuzzy Hash: D2D012725696488ED610AAF4AC0FCA47B5CD317711F4043AA6CB5866D2EA54271CC3A7

                                                        Non-executed Functions

                                                        Function 00696F06 Relevance: 46.3, APIs: 10, Strings: 16, Instructions: 849filesleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetEvent.KERNEL32(?,?), ref: 00696F28
                                                        • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00696FF8
                                                        • DeleteFileW.KERNEL32(00000000), ref: 00697018
                                                          • Part of subcall function 006AB42F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,007042E0,007042F8), ref: 006AB489
                                                          • Part of subcall function 006AB42F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,007042E0,007042F8), ref: 006AB4BB
                                                          • Part of subcall function 006AB42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,007042E0,007042F8), ref: 006AB50C
                                                          • Part of subcall function 006AB42F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,007042E0,007042F8), ref: 006AB561
                                                          • Part of subcall function 006AB42F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,007042E0,007042F8), ref: 006AB568
                                                          • Part of subcall function 00694468: send.WS2_32(?,00000000,00000000,00000000), ref: 006944FD
                                                          • Part of subcall function 00696BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,006F5454,?,?,00000000,00697273,00000000,?,0000000A,00000000), ref: 00696C38
                                                          • Part of subcall function 00696BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00697273,00000000,?,0000000A,00000000), ref: 00696C80
                                                          • Part of subcall function 00696BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00697273,00000000,?,0000000A,00000000,00000000), ref: 00696CC0
                                                          • Part of subcall function 00696BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00696CDD
                                                          • Part of subcall function 006AA686: GetLocalTime.KERNEL32(00000000), ref: 006AA6A0
                                                          • Part of subcall function 00694468: WaitForSingleObject.KERNEL32(?,00000000,LjL,?,?,00000004,?,?,00000004,00703EE8,007045A8,00000000), ref: 0069450E
                                                          • Part of subcall function 00694468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00703EE8,007045A8,00000000,?,?,?,?,?,006A4CE9), ref: 0069453C
                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00697416
                                                        • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 006974F5
                                                        • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0069773A
                                                        • DeleteFileA.KERNEL32(?), ref: 006978CC
                                                          • Part of subcall function 00697A8C: __EH_prolog.LIBCMT ref: 00697A91
                                                          • Part of subcall function 00697A8C: FindFirstFileW.KERNEL32(00000000,?,006F5AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00697B4A
                                                          • Part of subcall function 00697A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00697B6E
                                                        • Sleep.KERNEL32(000007D0), ref: 00697976
                                                        • StrToIntA.SHLWAPI(00000000,00000000), ref: 006979BA
                                                          • Part of subcall function 006ABB77: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 006ABC6C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                        • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@p$Unable to delete: $Unable to rename file!$V>p$open$x@p$x@p$x@p$x@p$>p
                                                        • API String ID: 2918587301-4236012801
                                                        • Opcode ID: 4c3cd0e0ebd9ae9f85327cbf21a8f82e37e6cecf6d789fae424952698a82ee9f
                                                        • Instruction ID: 5ffd2333bb19e2af4fea02d92cd0a250ab4e68db328adc74b712a775e4333adb
                                                        • Opcode Fuzzy Hash: 4c3cd0e0ebd9ae9f85327cbf21a8f82e37e6cecf6d789fae424952698a82ee9f
                                                        • Instruction Fuzzy Hash: 6742C5726083059BCE84F774C8679BE77AF9F92700F50091DF5425BA92EF209B09C69B
                                                        Function 00695042 Relevance: 38.8, APIs: 15, Strings: 7, Instructions: 280pipesleepfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __Init_thread_footer.LIBCMT ref: 0069508E
                                                          • Part of subcall function 006C34CF: EnterCriticalSection.KERNEL32(00700D18,00705D2C,?,0069AEAC,00705D2C,006E6D97,?,00000000,00000000), ref: 006C34D9
                                                          • Part of subcall function 006C34CF: LeaveCriticalSection.KERNEL32(00700D18,?,0069AEAC,00705D2C,006E6D97,?,00000000,00000000), ref: 006C350C
                                                          • Part of subcall function 00694468: send.WS2_32(?,00000000,00000000,00000000), ref: 006944FD
                                                        • __Init_thread_footer.LIBCMT ref: 006950CB
                                                        • CreatePipe.KERNEL32(00705CEC,00705CD4,00705BF8,00000000,006F556C,00000000), ref: 0069515E
                                                        • CreatePipe.KERNEL32(00705CD8,00705CF4,00705BF8,00000000), ref: 00695174
                                                        • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00705C08,00705CDC), ref: 006951E7
                                                          • Part of subcall function 006C3519: EnterCriticalSection.KERNEL32(00700D18,?,00705D2C,?,0069AE8B,00705D2C,?,00000000,00000000), ref: 006C3524
                                                          • Part of subcall function 006C3519: LeaveCriticalSection.KERNEL32(00700D18,?,0069AE8B,00705D2C,?,00000000,00000000), ref: 006C3561
                                                        • Sleep.KERNEL32(0000012C,00000093,?), ref: 0069523F
                                                        • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00695264
                                                        • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00695291
                                                          • Part of subcall function 006C38A5: __onexit.LIBCMT ref: 006C38AB
                                                        • WriteFile.KERNEL32(00000000,00000000,?,00000000,00703F98,006F5570,00000062,006F5554), ref: 0069538E
                                                        • Sleep.KERNEL32(00000064,00000062,006F5554), ref: 006953A8
                                                        • TerminateProcess.KERNEL32(00000000), ref: 006953C1
                                                        • CloseHandle.KERNEL32 ref: 006953CD
                                                        • CloseHandle.KERNEL32 ref: 006953D5
                                                        • CloseHandle.KERNEL32 ref: 006953E7
                                                        • CloseHandle.KERNEL32 ref: 006953EF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                        • String ID: P\p$P\p$P\p$P\p$P\p$SystemDrive$cmd.exe
                                                        • API String ID: 3815868655-2528310159
                                                        • Opcode ID: 82ae7134dd7a28545e7000f6c96084d9b58c42efd74bae31fa586b0b9ee3d434
                                                        • Instruction ID: a0b5044fb66ee999ceb92116d5d9e57c7ba3fc8f50779704193e76cf3a34754a
                                                        • Opcode Fuzzy Hash: 82ae7134dd7a28545e7000f6c96084d9b58c42efd74bae31fa586b0b9ee3d434
                                                        • Instruction Fuzzy Hash: FB91E770500B0AEFDB45BB64AC55D3F379FEB40744F50422DF9069A692EE289D048F79
                                                        Function 006A0F36 Relevance: 33.5, APIs: 7, Strings: 12, Instructions: 238threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcessId.KERNEL32 ref: 006A0F45
                                                          • Part of subcall function 006A27D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUo), ref: 006A27E3
                                                          • Part of subcall function 006A27D5: RegSetValueExA.KERNELBASE(TUo,000000AF,00000000,00000004,00000001,00000004,?,?,?,0069B94C,006F60E0,00000001,000000AF,006F5554), ref: 006A27FE
                                                          • Part of subcall function 006A27D5: RegCloseKey.ADVAPI32(?,?,?,?,0069B94C,006F60E0,00000001,000000AF,006F5554), ref: 006A2809
                                                        • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 006A0F81
                                                        • CreateThread.KERNEL32(00000000,00000000,006A1637,00000000,00000000,00000000), ref: 006A0FE6
                                                          • Part of subcall function 006A24B7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 006A24D7
                                                          • Part of subcall function 006A24B7: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,007042F8), ref: 006A24F5
                                                          • Part of subcall function 006A24B7: RegCloseKey.KERNELBASE(?), ref: 006A2500
                                                        • CloseHandle.KERNEL32(00000000), ref: 006A0F90
                                                          • Part of subcall function 006AA686: GetLocalTime.KERNEL32(00000000), ref: 006AA6A0
                                                        • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 006A125A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                        • String ID: 0Dp$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$Bp
                                                        • API String ID: 65172268-3398649267
                                                        • Opcode ID: debb49f1d8a0d5424ce2562201e6b0b538d0d6b864834cf3fe1f8c72619ca3f5
                                                        • Instruction ID: ef35ffe299bf356fdb97b100cb10b03af12fc48092a069828b1ef4c4e4862e83
                                                        • Opcode Fuzzy Hash: debb49f1d8a0d5424ce2562201e6b0b538d0d6b864834cf3fe1f8c72619ca3f5
                                                        • Instruction Fuzzy Hash: 9571D3316042465BCA54F770CC67DBFB7ABAF93710F50052DF5429A5D2EF209E08CA9A
                                                        Function 0069B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0069B3B4
                                                        • FindClose.KERNEL32(00000000), ref: 0069B3CE
                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0069B4F1
                                                        • FindClose.KERNEL32(00000000), ref: 0069B517
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$CloseFile$FirstNext
                                                        • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                        • API String ID: 1164774033-3681987949
                                                        • Opcode ID: eb8afc10e7a071b0fe48b0b96ec5dfafb1a70919de90079102b9ad1ce4c2a8db
                                                        • Instruction ID: f395b90a81eae21b8807b3b2c2918e4c1daedcc4eef0be64a20ac4af99be6932
                                                        • Opcode Fuzzy Hash: eb8afc10e7a071b0fe48b0b96ec5dfafb1a70919de90079102b9ad1ce4c2a8db
                                                        • Instruction Fuzzy Hash: 66513A3190420E9ADF54FBA0EC569FD777EAF62310F50005DF906AA492EF30AB49CA58
                                                        Function 0069B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0069B5B2
                                                        • FindClose.KERNEL32(00000000), ref: 0069B5CC
                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 0069B68C
                                                        • FindClose.KERNEL32(00000000), ref: 0069B6B2
                                                        • FindClose.KERNEL32(00000000), ref: 0069B6D1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$Close$File$FirstNext
                                                        • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                        • API String ID: 3527384056-432212279
                                                        • Opcode ID: f7b41c47be084cff4df3a8fc6e18319cc8c8bb7ac6d0eb9c08a64a93775329ae
                                                        • Instruction ID: 2e9b43546b94a876c094d28054c97d45914a166290daba110cd66ac59221b08a
                                                        • Opcode Fuzzy Hash: f7b41c47be084cff4df3a8fc6e18319cc8c8bb7ac6d0eb9c08a64a93775329ae
                                                        • Instruction Fuzzy Hash: F9417E3290461E9ACF54FBA0ED568FD776FAF22310F60105DF9029B491EF206B49CA98
                                                        Function 0069E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00704358), ref: 0069E233
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00704358), ref: 0069E25E
                                                        • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0069E27A
                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0069E2FD
                                                        • CloseHandle.KERNEL32(00000000,?,?,00704358), ref: 0069E30C
                                                          • Part of subcall function 006A27D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUo), ref: 006A27E3
                                                          • Part of subcall function 006A27D5: RegSetValueExA.KERNELBASE(TUo,000000AF,00000000,00000004,00000001,00000004,?,?,?,0069B94C,006F60E0,00000001,000000AF,006F5554), ref: 006A27FE
                                                          • Part of subcall function 006A27D5: RegCloseKey.ADVAPI32(?,?,?,?,0069B94C,006F60E0,00000001,000000AF,006F5554), ref: 006A2809
                                                        • CloseHandle.KERNEL32(00000000,?,?,00704358), ref: 0069E371
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                        • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$Bp
                                                        • API String ID: 726551946-217291161
                                                        • Opcode ID: a5e767cbdad03e350d67468b4f4d06c37f1d738b9dda03904ff1de9d222da891
                                                        • Instruction ID: 51d56a822da4207b42ac4a7afe20c5873974960f7f712d983571c27d5d984d71
                                                        • Opcode Fuzzy Hash: a5e767cbdad03e350d67468b4f4d06c37f1d738b9dda03904ff1de9d222da891
                                                        • Instruction Fuzzy Hash: 9F7151311083418BCFA4FB60D8919EE77EFAF92354F50092DF98647592EF319A09CB5A
                                                        Function 006A59C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenClipboard.USER32 ref: 006A59C7
                                                        • EmptyClipboard.USER32 ref: 006A59D5
                                                        • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 006A59F5
                                                        • GlobalLock.KERNEL32(00000000), ref: 006A59FE
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 006A5A34
                                                        • SetClipboardData.USER32(0000000D,00000000), ref: 006A5A3D
                                                        • CloseClipboard.USER32 ref: 006A5A5A
                                                        • OpenClipboard.USER32 ref: 006A5A61
                                                        • GetClipboardData.USER32(0000000D), ref: 006A5A71
                                                        • GlobalLock.KERNEL32(00000000), ref: 006A5A7A
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 006A5A83
                                                        • CloseClipboard.USER32 ref: 006A5A89
                                                          • Part of subcall function 00694468: send.WS2_32(?,00000000,00000000,00000000), ref: 006944FD
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                        • String ID:
                                                        • API String ID: 3520204547-0
                                                        • Opcode ID: d6bcbdee5719f5a6deabd452a26b1ee04b1ab7af636487433cf41e61bfa2b993
                                                        • Instruction ID: 27a7b4cf130ccb4f33cbc74d3a0830f22cdcde1471563ed2f4b36999941ea8b2
                                                        • Opcode Fuzzy Hash: d6bcbdee5719f5a6deabd452a26b1ee04b1ab7af636487433cf41e61bfa2b993
                                                        • Instruction Fuzzy Hash: D921A4722043419FCB54BBB0DC9AAFE76AFAF91701F04152DF9038A591EF308D099A66
                                                        Function 00414C50 Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 213fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 00414CC8
                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 00414DDE
                                                        • FindClose.KERNEL32(00000000), ref: 00414DED
                                                        • FindFirstFileA.KERNEL32(?,?,?,?), ref: 00414E00
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3852697446.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000005.00000002.3852676846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3852803469.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3853277306.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3853306344.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3853306344.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3853306344.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Find$File$First$CloseNext
                                                        • String ID: *.*$\$\*.*
                                                        • API String ID: 2001080981-2301768657
                                                        • Opcode ID: 6fd555c80d88ff68a725cc0c8a0bfababf08fce1e919103a46c7dabedfcc3ed1
                                                        • Instruction ID: a8a72605bd69f8ac0c64504b566f5f70f8f2b3987ac3faeae44afcbdd81da1c4
                                                        • Opcode Fuzzy Hash: 6fd555c80d88ff68a725cc0c8a0bfababf08fce1e919103a46c7dabedfcc3ed1
                                                        • Instruction Fuzzy Hash: 707139711087854BD721CB24A8187FBB7D9EFC2305F14492AEDC597341EB38988A87AA
                                                        Function 00414C5E Relevance: 17.7, APIs: 7, Strings: 3, Instructions: 188fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileA.KERNEL32(?,?), ref: 00414CC8
                                                        • FindNextFileA.KERNEL32(00000000,?), ref: 00414DDE
                                                        • FindClose.KERNEL32(00000000), ref: 00414DED
                                                        • FindFirstFileA.KERNEL32(?,?,?,?), ref: 00414E00
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3852697446.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000005.00000002.3852676846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3852803469.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3853277306.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3853306344.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3853306344.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3853306344.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Find$File$First$CloseNext
                                                        • String ID: *.*$\$\*.*
                                                        • API String ID: 2001080981-2301768657
                                                        • Opcode ID: 83a6a2b75fe7ddae7e29f215196850a4e8ebe6461e0ee2428b67daca4b15ab97
                                                        • Instruction ID: b82011f7364226d73ca0ef2ff54cbf09d9b1c66aee7853f02d9bb4e8a0548972
                                                        • Opcode Fuzzy Hash: 83a6a2b75fe7ddae7e29f215196850a4e8ebe6461e0ee2428b67daca4b15ab97
                                                        • Instruction Fuzzy Hash: 636139711087854BD721CB24A8187FBB7D9FFC2305F14492AED8597341EB38998AC7AA
                                                        Function 006A8754 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 0$1$2$3$4$5$6$7
                                                        • API String ID: 0-3177665633
                                                        • Opcode ID: 265ab5625cd68e9cd26a05c8f4a0edf1227e3c12391fa60df021b2a245fc8347
                                                        • Instruction ID: 687fe217de28ab014b1a2d0bdb8bdc48fed2cc2a27ad9c7f8bd1f8383c8162af
                                                        • Opcode Fuzzy Hash: 265ab5625cd68e9cd26a05c8f4a0edf1227e3c12391fa60df021b2a245fc8347
                                                        • Instruction Fuzzy Hash: 10619E30508301AEDB00EF20C892FAA77EAAF96750F40484DF991576E6DF309E09CB57
                                                        Function 00699B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetForegroundWindow.USER32(?,?,007040F8), ref: 00699B3F
                                                        • GetWindowThreadProcessId.USER32(00000000,?), ref: 00699B4B
                                                        • GetKeyboardLayout.USER32(00000000), ref: 00699B52
                                                        • GetKeyState.USER32(00000010), ref: 00699B5C
                                                        • GetKeyboardState.USER32(?,?,007040F8), ref: 00699B67
                                                        • ToUnicodeEx.USER32(0070414C,?,?,?,00000010,00000000,00000000), ref: 00699B8A
                                                        • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00699BE3
                                                        • ToUnicodeEx.USER32(0070414C,?,?,?,00000010,00000000,00000000), ref: 00699C1C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                        • String ID: 8[p
                                                        • API String ID: 1888522110-3698563225
                                                        • Opcode ID: 2cc76d84404012e4638556ffc95cc0f18b1e2fbfbf92e8591525e8d00ba1aedc
                                                        • Instruction ID: 125bacc6a7b57c4ae540ffe1cd39bcbb06e251ca79db2ccf6eca9aa54de9779a
                                                        • Opcode Fuzzy Hash: 2cc76d84404012e4638556ffc95cc0f18b1e2fbfbf92e8591525e8d00ba1aedc
                                                        • Instruction Fuzzy Hash: 8331A1B2104348AFD740DB94DC85FDBBBEDEB48710F00092EB641D65A0DBB1B9489BA2
                                                        Function 00696764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _wcslen.LIBCMT ref: 00696788
                                                        • CoGetObject.OLE32(?,00000024,006F59B0,00000000), ref: 006967E9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Object_wcslen
                                                        • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                        • API String ID: 240030777-3166923314
                                                        • Opcode ID: ee1ca0f6fc6add5b7eb80e3dab086b721d6b7423c61f067b089a9aa0d7edba1a
                                                        • Instruction ID: 3f7fd149f17b6195b188e523150e3c9ed95daa6f6a4ad7375d524143a77f3ab0
                                                        • Opcode Fuzzy Hash: ee1ca0f6fc6add5b7eb80e3dab086b721d6b7423c61f067b089a9aa0d7edba1a
                                                        • Instruction Fuzzy Hash: C81152B290125CAEDB10FBA4C846EEEBBFEDB44710F55006DFB05E3180D6749E048A79
                                                        Function 006A98C2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,007048F8), ref: 006A98D8
                                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 006A9927
                                                        • GetLastError.KERNEL32 ref: 006A9935
                                                        • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 006A996D
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                        • String ID:
                                                        • API String ID: 3587775597-0
                                                        • Opcode ID: 877b8e0c33c9c48c415a1bf352da7cbc7e0af0a6c196a04e7c6a974de06cd2f1
                                                        • Instruction ID: a36efc571db89f7ae080a240bcc7b62e798f6cfb0325dbb89aeb564fc6786776
                                                        • Opcode Fuzzy Hash: 877b8e0c33c9c48c415a1bf352da7cbc7e0af0a6c196a04e7c6a974de06cd2f1
                                                        • Instruction Fuzzy Hash: 2A818E71108305ABCB54EB20DC95DBFB7AEBF95710F10092EF58246691EF70AA09CB96
                                                        Function 006E13B7 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 006D6EBF: GetLastError.KERNEL32(?,00000000,006D0A45,?,006AAB73,-00705D4C,?,?,?,?,006F5900,0069C07B,.vbs), ref: 006D6EC3
                                                          • Part of subcall function 006D6EBF: _free.LIBCMT ref: 006D6EF6
                                                          • Part of subcall function 006D6EBF: SetLastError.KERNEL32(00000000,?,006AAB73,-00705D4C,?,?,?,?,006F5900,0069C07B,.vbs), ref: 006D6F37
                                                          • Part of subcall function 006D6EBF: _abort.LIBCMT ref: 006D6F3D
                                                          • Part of subcall function 006D6EBF: _free.LIBCMT ref: 006D6F1E
                                                          • Part of subcall function 006D6EBF: SetLastError.KERNEL32(00000000,?,006AAB73,-00705D4C,?,?,?,?,006F5900,0069C07B,.vbs), ref: 006D6F2B
                                                        • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 006E14C3
                                                        • IsValidCodePage.KERNEL32(00000000), ref: 006E151E
                                                        • IsValidLocale.KERNEL32(?,00000001), ref: 006E152D
                                                        • GetLocaleInfoW.KERNEL32(?,00001001,<m,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 006E1575
                                                        • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 006E1594
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                        • String ID: <m$<m$<m
                                                        • API String ID: 745075371-4230526536
                                                        • Opcode ID: 61d7cc8993f90e3f842ce7f829d2920d97c27606e58e41cf401b973669cbadb9
                                                        • Instruction ID: 5670d543d68b31b3cf67001720e5a0a65c67b4283ad769fcf952935a059906b3
                                                        • Opcode Fuzzy Hash: 61d7cc8993f90e3f842ce7f829d2920d97c27606e58e41cf401b973669cbadb9
                                                        • Instruction Fuzzy Hash: 57515F71901349EAEF20DFA6CC45AFE73FAAF06700F144569E915EF390E7709A409B61
                                                        Function 006AB42F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,007042E0,007042F8), ref: 006AB489
                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,007042E0,007042F8), ref: 006AB4BB
                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,007042E0,007042F8), ref: 006AB529
                                                        • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,007042E0,007042F8), ref: 006AB536
                                                          • Part of subcall function 006AB42F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,007042E0,007042F8), ref: 006AB50C
                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,007042E0,007042F8), ref: 006AB561
                                                        • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,007042E0,007042F8), ref: 006AB568
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,007042E0,007042F8), ref: 006AB570
                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,007042E0,007042F8), ref: 006AB583
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                        • String ID:
                                                        • API String ID: 2341273852-0
                                                        • Opcode ID: aec5d3c182c2bac283e8100907af11ac8f9f89a7f3d7c6a3abe6370d59d3cbe9
                                                        • Instruction ID: e2fe2dee373d51f98981383e082a47e9b92201cedd8709c4726e317533ca2b66
                                                        • Opcode Fuzzy Hash: aec5d3c182c2bac283e8100907af11ac8f9f89a7f3d7c6a3abe6370d59d3cbe9
                                                        • Instruction Fuzzy Hash: 0431327180825C9ECB20EBB09C89FEA77BEAF15300F441599F605D3142EB769B85CF24
                                                        Function 006A8C69 Relevance: 12.5, APIs: 2, Strings: 5, Instructions: 245fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(00000000,?), ref: 006A8EBF
                                                        • FindNextFileW.KERNEL32(00000000,?,?), ref: 006A8F8B
                                                          • Part of subcall function 006AB61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00699F65), ref: 006AB633
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$Find$CreateFirstNext
                                                        • String ID: @Cp$XCp$`Hp$`Hp$>p
                                                        • API String ID: 341183262-488922088
                                                        • Opcode ID: a18c3622208e605da6fcc913cd2245d8db0f6a6299f33df1daf73b966cbeb644
                                                        • Instruction ID: 428497326333c65b115d9a826c300c199ae77ebe387d57d0965501db9eb5579f
                                                        • Opcode Fuzzy Hash: a18c3622208e605da6fcc913cd2245d8db0f6a6299f33df1daf73b966cbeb644
                                                        • Instruction Fuzzy Hash: 218184315042419FCB94FB60C862DEFB3AFAFA2710F50492DF9465B5D2EF309A09C65A
                                                        Function 006A2F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 006A301A
                                                        • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 006A3026
                                                          • Part of subcall function 00694468: send.WS2_32(?,00000000,00000000,00000000), ref: 006944FD
                                                        • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 006A31ED
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006A31F4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressCloseCreateLibraryLoadProcsend
                                                        • String ID: SHDeleteKeyW$Shlwapi.dll
                                                        • API String ID: 2127411465-314212984
                                                        • Opcode ID: bbe53e78eed8d9beca95ca5d370e21063fcaed955a8873d4823e2cb8c5f6e95d
                                                        • Instruction ID: e0b02b12a0470725e8706919b136dc1aa61e2696f86f7b03c20cef7ea8317f24
                                                        • Opcode Fuzzy Hash: bbe53e78eed8d9beca95ca5d370e21063fcaed955a8873d4823e2cb8c5f6e95d
                                                        • Instruction Fuzzy Hash: 0EB10671A043056BCE94F774CC939BE769F9F92754F500A1DF8025BAD2EF218F08869A
                                                        Function 0069B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0069B257
                                                        • GetLastError.KERNEL32 ref: 0069B261
                                                        Strings
                                                        • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0069B222
                                                        • UserProfile, xrefs: 0069B227
                                                        • [Chrome StoredLogins found, cleared!], xrefs: 0069B287
                                                        • [Chrome StoredLogins not found], xrefs: 0069B27B
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DeleteErrorFileLast
                                                        • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                        • API String ID: 2018770650-1062637481
                                                        • Opcode ID: 13bbb0dbdc56d194d705cd2f622dc462003b304202792fa315a7fc98485690aa
                                                        • Instruction ID: 60af74d0507c80212bd4f709da10be46dabbde39ab87b83f0dd512b3eb33ba8a
                                                        • Opcode Fuzzy Hash: 13bbb0dbdc56d194d705cd2f622dc462003b304202792fa315a7fc98485690aa
                                                        • Instruction Fuzzy Hash: FB01D631A4410D978F8577B4FE6B8BE372FE912700B50111DF6035B992EF519F058285
                                                        Function 006A6AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(00000028,?), ref: 006A6AC4
                                                        • OpenProcessToken.ADVAPI32(00000000), ref: 006A6ACB
                                                        • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 006A6ADD
                                                        • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 006A6AFC
                                                        • GetLastError.KERNEL32 ref: 006A6B02
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                        • String ID: SeShutdownPrivilege
                                                        • API String ID: 3534403312-3733053543
                                                        • Opcode ID: 39e6863c66ae16d68c03867322ffd9714b08f7913fe8bb4e92188722db862e0e
                                                        • Instruction ID: b71b07ee8baa80777d660e4dd2ec844bb303de2c44c2dafd7190263c5a714acf
                                                        • Opcode Fuzzy Hash: 39e6863c66ae16d68c03867322ffd9714b08f7913fe8bb4e92188722db862e0e
                                                        • Instruction Fuzzy Hash: DDF034B1805228BBDB10ABA0EC8DEEF7FBEEF04215F001050B905AA050D6748B049AB1
                                                        Function 006989A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 006989AE
                                                          • Part of subcall function 006941F1: socket.WS2_32(?,00000001,00000006), ref: 00694212
                                                          • Part of subcall function 0069428C: connect.WS2_32(?,?,?), ref: 006942A5
                                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00698A8D
                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00698AE0
                                                        • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00698AF7
                                                          • Part of subcall function 00694468: WaitForSingleObject.KERNEL32(?,00000000,LjL,?,?,00000004,?,?,00000004,00703EE8,007045A8,00000000), ref: 0069450E
                                                          • Part of subcall function 00694468: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,00703EE8,007045A8,00000000,?,?,?,?,?,006A4CE9), ref: 0069453C
                                                          • Part of subcall function 006947EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00694B8E,?,?,?,00694B26), ref: 006947FD
                                                          • Part of subcall function 006947EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00694B8E,?,?,?,00694B26), ref: 00694808
                                                          • Part of subcall function 006947EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00694B8E,?,?,?,00694B26), ref: 00694811
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 00698DA1
                                                          • Part of subcall function 00694468: send.WS2_32(?,00000000,00000000,00000000), ref: 006944FD
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                        • String ID:
                                                        • API String ID: 4043647387-0
                                                        • Opcode ID: b97fadaf4f89fe8bbe211353fefd49ab945d33b4a3781e761948570032f34095
                                                        • Instruction ID: 2008f224b161dd2ed7105852660318864b26764d68e9fd08cf76f25a5be83d2f
                                                        • Opcode Fuzzy Hash: b97fadaf4f89fe8bbe211353fefd49ab945d33b4a3781e761948570032f34095
                                                        • Instruction Fuzzy Hash: 46A15A329001099ACF54EBA4DC92EED777EAF11710F20426EF506AB5D2EF345F498B94
                                                        Function 006A9BC4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,006A981A,00000000,00000000), ref: 006A9BCD
                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,006A981A,00000000,00000000), ref: 006A9BE2
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,006A981A,00000000,00000000), ref: 006A9BEF
                                                        • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,006A981A,00000000,00000000), ref: 006A9BFA
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,006A981A,00000000,00000000), ref: 006A9C0C
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,006A981A,00000000,00000000), ref: 006A9C0F
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Service$CloseHandle$Open$ManagerStart
                                                        • String ID:
                                                        • API String ID: 276877138-0
                                                        • Opcode ID: c8b5f184dd8d8044b4eb73377f7282bdf7647805ce0972950a4326b237849881
                                                        • Instruction ID: 309fccd80b69f255c9cdcc109c5dae1240a71a38a48891acf2a331ae354b81d3
                                                        • Opcode Fuzzy Hash: c8b5f184dd8d8044b4eb73377f7282bdf7647805ce0972950a4326b237849881
                                                        • Instruction Fuzzy Hash: 51F027B2504365BFD311AB30ACC8EBF2B6EDF863A4B100419F84187140CF64CD0AAAB1
                                                        Function 006A58B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 006A6AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 006A6AC4
                                                          • Part of subcall function 006A6AB7: OpenProcessToken.ADVAPI32(00000000), ref: 006A6ACB
                                                          • Part of subcall function 006A6AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 006A6ADD
                                                          • Part of subcall function 006A6AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 006A6AFC
                                                          • Part of subcall function 006A6AB7: GetLastError.KERNEL32 ref: 006A6B02
                                                        • ExitWindowsEx.USER32(00000000,00000001), ref: 006A595B
                                                        • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 006A5970
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006A5977
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                        • String ID: PowrProf.dll$SetSuspendState
                                                        • API String ID: 1589313981-1420736420
                                                        • Opcode ID: e05efe2496d2dbbeb28663f621938333395ae1a2b23efc58fa6da2c8f5a46e2f
                                                        • Instruction ID: 3a8c75f9b8db496214a9eb73d31dcbf8bc42ef0bbe9b36a48a5853856a8242f6
                                                        • Opcode Fuzzy Hash: e05efe2496d2dbbeb28663f621938333395ae1a2b23efc58fa6da2c8f5a46e2f
                                                        • Instruction Fuzzy Hash: 8721856060474A9BCF95FBF0C856ABF325F9F82740F54482DB6039F682DF648D0A8755
                                                        Function 006E11E3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,006E1502,?,00000000), ref: 006E127C
                                                        • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,006E1502,?,00000000), ref: 006E12A5
                                                        • GetACP.KERNEL32(?,?,006E1502,?,00000000), ref: 006E12BA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InfoLocale
                                                        • String ID: ACP$OCP
                                                        • API String ID: 2299586839-711371036
                                                        • Opcode ID: abe8aa4b86b00212fb96725735995d158174db642c1bbc28919e867461fe8e94
                                                        • Instruction ID: 8daa3e21afc88c0d4e4c7eccf3d567191a99261da080040f269b98eff3e40c54
                                                        • Opcode Fuzzy Hash: abe8aa4b86b00212fb96725735995d158174db642c1bbc28919e867461fe8e94
                                                        • Instruction Fuzzy Hash: 8121B731A12385AEDB248F56DD04AEB73A7AB52B50B564564EB05DF200F732DFC1E350
                                                        Function 00697A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00697A91
                                                        • FindFirstFileW.KERNEL32(00000000,?,006F5AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00697B4A
                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00697B6E
                                                        • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00697C76
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Find$File$CloseFirstH_prologNext
                                                        • String ID:
                                                        • API String ID: 1157919129-0
                                                        • Opcode ID: c945fce645085d3c642a7aedc0f0142e8c8d7d1e04a39dc17460fa71637a6779
                                                        • Instruction ID: e589a7d5dab02f4fb5b5661dc1309042d0437eadd863af1c57113bbfa43204e7
                                                        • Opcode Fuzzy Hash: c945fce645085d3c642a7aedc0f0142e8c8d7d1e04a39dc17460fa71637a6779
                                                        • Instruction Fuzzy Hash: CE51B032900209AECF54FBA4DC969ED7B7EAF11310F50015DF806A7992EF349B49CB98
                                                        Function 00696128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00696234
                                                        • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00696318
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DownloadExecuteFileShell
                                                        • String ID: C:\Users\user\Desktop\IXCbn4ZcdS.exe$open
                                                        • API String ID: 2825088817-1340879691
                                                        • Opcode ID: d1eb5fc7501a3de93e7ed15c2cacdcb9f13d631ff31db235cf681a824599de04
                                                        • Instruction ID: d4113e56d15ea203b5777a2dacbe60319634a93f380e560f46564dbcb8986757
                                                        • Opcode Fuzzy Hash: d1eb5fc7501a3de93e7ed15c2cacdcb9f13d631ff31db235cf681a824599de04
                                                        • Instruction Fuzzy Hash: 5A61F07160430697CE54FB74C8669BE37AF9F82750F20091DF9425FAC2EF248E09C6A6
                                                        Function 00696AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00696ADD
                                                        • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00696BA5
                                                          • Part of subcall function 00694468: send.WS2_32(?,00000000,00000000,00000000), ref: 006944FD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileFind$FirstNextsend
                                                        • String ID: x@p$x@p
                                                        • API String ID: 4113138495-1638896681
                                                        • Opcode ID: ab134c2cede59631e658f858fa532420cf537d6937269aede06e8d794d44ad58
                                                        • Instruction ID: 3a0cc7b27bbdf8595504e1d955471cec7e934f280c18a8471bf882812f066567
                                                        • Opcode Fuzzy Hash: ab134c2cede59631e658f858fa532420cf537d6937269aede06e8d794d44ad58
                                                        • Instruction Fuzzy Hash: A321C2325083019BCB44FB60CC95DEFB7AEAF91324F400A1DF98696591EF30AA08C656
                                                        Function 006ABB77 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 006ABC6C
                                                          • Part of subcall function 006A26D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 006A26E1
                                                          • Part of subcall function 006A26D2: RegSetValueExA.KERNELBASE(?,?,00000000,?,00000000,00000000,007042F8,?,?,0069E5FB,hHgo,5.3.0 Pro), ref: 006A2709
                                                          • Part of subcall function 006A26D2: RegCloseKey.KERNELBASE(?,?,?,0069E5FB,hHgo,5.3.0 Pro), ref: 006A2714
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCreateInfoParametersSystemValue
                                                        • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                        • API String ID: 4127273184-3576401099
                                                        • Opcode ID: b0f97e30e513a0f91c6a9d7f1ff4a2dd4f2c5acbffb4b6c5736b9a074ec52659
                                                        • Instruction ID: 9296b7825608be25f04f1b101bfe4e5809fcae88c8584bb8f8d24f6c226746b0
                                                        • Opcode Fuzzy Hash: b0f97e30e513a0f91c6a9d7f1ff4a2dd4f2c5acbffb4b6c5736b9a074ec52659
                                                        • Instruction Fuzzy Hash: 2A111D22B8060C33D91835398E6BFBE2C079357BA0FA52159F7022A6D7EE864E5507D6
                                                        Function 006CA65D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 78COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • IsDebuggerPresent.KERNEL32(?,?,?,?,?,00000000), ref: 006CA755
                                                        • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,00000000), ref: 006CA75F
                                                        • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,00000000), ref: 006CA76C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                        • String ID: Bp
                                                        • API String ID: 3906539128-1987823655
                                                        • Opcode ID: c1e90b17dc6ae8dc72a42b3b66920b9d1b8c991c7ece37d67b608635c779accf
                                                        • Instruction ID: a766b4a9656196f42c042c169b4a9c02dc8e38154de15d5e9e49c6bf4d2e4334
                                                        • Opcode Fuzzy Hash: c1e90b17dc6ae8dc72a42b3b66920b9d1b8c991c7ece37d67b608635c779accf
                                                        • Instruction Fuzzy Hash: 5731A17490122CABCB61DF64D989B9CBBB9FF08310F5052DAA81DA7250E7309F818F59
                                                        Function 006E0A7F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 006D6EBF: GetLastError.KERNEL32(?,00000000,006D0A45,?,006AAB73,-00705D4C,?,?,?,?,006F5900,0069C07B,.vbs), ref: 006D6EC3
                                                          • Part of subcall function 006D6EBF: _free.LIBCMT ref: 006D6EF6
                                                          • Part of subcall function 006D6EBF: SetLastError.KERNEL32(00000000,?,006AAB73,-00705D4C,?,?,?,?,006F5900,0069C07B,.vbs), ref: 006D6F37
                                                          • Part of subcall function 006D6EBF: _abort.LIBCMT ref: 006D6F3D
                                                        • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,006D3CF3,?,?,?,?,?,?,00000004), ref: 006E0B61
                                                        • _wcschr.LIBVCRUNTIME ref: 006E0BF1
                                                        • _wcschr.LIBVCRUNTIME ref: 006E0BFF
                                                        • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,006D3CF3,00000000,006D3E13), ref: 006E0CA2
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                        • String ID:
                                                        • API String ID: 4212172061-0
                                                        • Opcode ID: a16bf1a014c94fb3bae544dc7740cb30d6f5d9234b30fd3bcfd6e4a980a88885
                                                        • Instruction ID: 0e4eaddd72eaf6b09983ff99b1211753a547346c6c1dfc7b0f9c15da7a0ada48
                                                        • Opcode Fuzzy Hash: a16bf1a014c94fb3bae544dc7740cb30d6f5d9234b30fd3bcfd6e4a980a88885
                                                        • Instruction Fuzzy Hash: 54613071502346AAF724AB36CC45EFA73AEEF08710F14056EF905DB281E7B4D985C764
                                                        Function 00698DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00698DAC
                                                        • FindFirstFileW.KERNEL32(00000000,?), ref: 00698E24
                                                        • FindNextFileW.KERNEL32(00000000,?), ref: 00698E4D
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileFind$FirstH_prologNext
                                                        • String ID:
                                                        • API String ID: 301083792-0
                                                        • Opcode ID: 4a687e2dbb3b036db533a720b7285d7005214955f2d67aaf68d4d2f68f00934a
                                                        • Instruction ID: 86033050d366bc28822d71b9339be42f599416e21eeb8feffc31664ab3396c49
                                                        • Opcode Fuzzy Hash: 4a687e2dbb3b036db533a720b7285d7005214955f2d67aaf68d4d2f68f00934a
                                                        • Instruction Fuzzy Hash: 91716F329001099BCF55EBA4DC92DED777EAF15310F20426EE816A7591EF306F49CBA4
                                                        Function 006C293A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,006C26C2,00000024,?,?,?), ref: 006C294C
                                                        • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,006BCBBE,?), ref: 006C2962
                                                        • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,006BCBBE,?), ref: 006C2974
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Crypt$Context$AcquireRandomRelease
                                                        • String ID:
                                                        • API String ID: 1815803762-0
                                                        • Opcode ID: e3e5fcfac117c35e384bfcf4876827ab0446ce991b40e6d1eb47767b072a83ed
                                                        • Instruction ID: 48fa67758234c012701a58293cc23eb7c58555ac48b073b75893f79d7788142c
                                                        • Opcode Fuzzy Hash: e3e5fcfac117c35e384bfcf4876827ab0446ce991b40e6d1eb47767b072a83ed
                                                        • Instruction Fuzzy Hash: 87E0923130C352BBEB310F22AC28F673B56EB85B71F210A2CF611E80E4D67148429618
                                                        Function 006D2554 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(00000003,?,006D252A,00000003,006FDAE0,0000000C,006D2681,00000003,00000002,00000000,?,006D53F8,00000003), ref: 006D2575
                                                        • TerminateProcess.KERNEL32(00000000,?,006D252A,00000003,006FDAE0,0000000C,006D2681,00000003,00000002,00000000,?,006D53F8,00000003), ref: 006D257C
                                                        • ExitProcess.KERNEL32 ref: 006D258E
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$CurrentExitTerminate
                                                        • String ID:
                                                        • API String ID: 1703294689-0
                                                        • Opcode ID: 7ccf88df5ec5116607e3b77300674c3df0ed36cda3324aeee5b7dec06dec7b13
                                                        • Instruction ID: 0407254d737a6cb74f51761ae00fcbb64d20add43d8cfda038bb734bf40a395d
                                                        • Opcode Fuzzy Hash: 7ccf88df5ec5116607e3b77300674c3df0ed36cda3324aeee5b7dec06dec7b13
                                                        • Instruction Fuzzy Hash: 58E0B631814289AFCF516F54ED69E897F6BEB60341B004115F9068E231CB75EE82DB94
                                                        Function 006C3CD7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetUnhandledExceptionFilter.KERNEL32(Function_00033CE3,006C39B1), ref: 006C3CDC
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExceptionFilterUnhandled
                                                        • String ID:
                                                        • API String ID: 3192549508-0
                                                        • Opcode ID: 41824fdd7ab0538f3b1ec1c9b4e893b65544330ea0d1f04dfec19c3e335b66a9
                                                        • Instruction ID: d3420bfeb2f9b7787a6e41011d898c2d167fbfab8fcff566b120705699b437e2
                                                        • Opcode Fuzzy Hash: 41824fdd7ab0538f3b1ec1c9b4e893b65544330ea0d1f04dfec19c3e335b66a9
                                                        • Instruction Fuzzy Hash:
                                                        Function 006DE92E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: HeapProcess
                                                        • String ID:
                                                        • API String ID: 54951025-0
                                                        • Opcode ID: fa99f7c26cd14c0202d85bd622a86f2d99650158f30c07b0e112f4353a5a1917
                                                        • Instruction ID: f9982966d6b66a05b4a1f0b6b6edf5ed617d7229c3b21838c1861741ecc583de
                                                        • Opcode Fuzzy Hash: fa99f7c26cd14c0202d85bd622a86f2d99650158f30c07b0e112f4353a5a1917
                                                        • Instruction Fuzzy Hash: EFA012B0202201CB97404F315F052093699A504280300C0145005C4120DA2440404700
                                                        Function 006A7F9F Relevance: 51.1, APIs: 28, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 006A7FB9
                                                        • CreateCompatibleDC.GDI32(00000000), ref: 006A7FC4
                                                          • Part of subcall function 006A8452: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 006A8482
                                                        • CreateCompatibleBitmap.GDI32(?,00000000), ref: 006A8045
                                                        • DeleteDC.GDI32(?), ref: 006A805D
                                                        • DeleteDC.GDI32(00000000), ref: 006A8060
                                                        • SelectObject.GDI32(00000000,00000000), ref: 006A806B
                                                        • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 006A8093
                                                        • GetIconInfo.USER32(?,?), ref: 006A80CB
                                                        • DeleteObject.GDI32(?), ref: 006A80FA
                                                        • DeleteObject.GDI32(?), ref: 006A8107
                                                        • DrawIcon.USER32(00000000,?,?,?), ref: 006A8114
                                                        • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 006A8144
                                                        • GetObjectA.GDI32(?,00000018,?), ref: 006A8173
                                                        • LocalAlloc.KERNEL32(00000040,00000028), ref: 006A81BC
                                                        • LocalAlloc.KERNEL32(00000040,00000001), ref: 006A81DF
                                                        • GlobalAlloc.KERNEL32(00000000,?), ref: 006A8248
                                                        • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 006A826B
                                                        • DeleteDC.GDI32(?), ref: 006A827F
                                                        • DeleteDC.GDI32(00000000), ref: 006A8282
                                                        • DeleteObject.GDI32(00000000), ref: 006A8285
                                                        • GlobalFree.KERNEL32(00CC0020), ref: 006A8290
                                                        • DeleteObject.GDI32(00000000), ref: 006A8344
                                                        • GlobalFree.KERNEL32(?), ref: 006A834B
                                                        • DeleteDC.GDI32(?), ref: 006A835B
                                                        • DeleteDC.GDI32(00000000), ref: 006A8366
                                                        • DeleteDC.GDI32(?), ref: 006A8398
                                                        • DeleteDC.GDI32(00000000), ref: 006A839B
                                                        • DeleteObject.GDI32(?), ref: 006A83A1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconLocal$BitmapBitsDisplayDrawEnumInfoSelectSettingsStretch
                                                        • String ID: DISPLAY
                                                        • API String ID: 1765752176-865373369
                                                        • Opcode ID: d3bcb4d94adba6ec9536efdc4d5617e1bade0d6311f405df4f0525663807b8cc
                                                        • Instruction ID: c4389cd8c2d8314c4ffbe32671f90358fc990b3846f496e3599ee78bd25db7b4
                                                        • Opcode Fuzzy Hash: d3bcb4d94adba6ec9536efdc4d5617e1bade0d6311f405df4f0525663807b8cc
                                                        • Instruction Fuzzy Hash: 18C17B71508345AFD720EB64DC44BABBBEAFF89700F04492DF98997261EB34AD05CB52
                                                        Function 006A7245 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 006A728C
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006A728F
                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 006A72A0
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006A72A3
                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 006A72B4
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006A72B7
                                                        • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 006A72C8
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006A72CB
                                                        • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 006A736C
                                                        • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 006A7384
                                                        • GetThreadContext.KERNEL32(?,00000000), ref: 006A739A
                                                        • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 006A73C0
                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 006A7440
                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 006A7454
                                                        • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 006A748B
                                                        • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 006A7558
                                                        • SetThreadContext.KERNEL32(?,00000000), ref: 006A7575
                                                        • ResumeThread.KERNEL32(?), ref: 006A7582
                                                        • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 006A759A
                                                        • GetCurrentProcess.KERNEL32(?), ref: 006A75A5
                                                        • TerminateProcess.KERNEL32(?,00000000), ref: 006A75BF
                                                        • GetLastError.KERNEL32 ref: 006A75C7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                        • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                        • API String ID: 4188446516-3035715614
                                                        • Opcode ID: 2c6b43e52352fa3aaeea883617f3ec55d1165ca7c09853d82a8c03f8653c521e
                                                        • Instruction ID: 6f3f7f04b4bd1a99066a35f51d77daa55949ae3c99e9433b22b6959f88d7b826
                                                        • Opcode Fuzzy Hash: 2c6b43e52352fa3aaeea883617f3ec55d1165ca7c09853d82a8c03f8653c521e
                                                        • Instruction Fuzzy Hash: BFA18AB0A08304AFD710AF61CC84BABBBEAFB49344F440929F685C6260DB75E954CF65
                                                        Function 006A12B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateMutexA.KERNEL32(00000000,00000001,00000000,007042F8,?,00000000), ref: 006A12D4
                                                        • ExitProcess.KERNEL32 ref: 006A151D
                                                          • Part of subcall function 006A265D: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,007042F8), ref: 006A2679
                                                          • Part of subcall function 006A265D: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 006A2692
                                                          • Part of subcall function 006A265D: RegCloseKey.KERNELBASE(00000000), ref: 006A269D
                                                          • Part of subcall function 006AB61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00699F65), ref: 006AB633
                                                        • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 006A135B
                                                        • OpenProcess.KERNEL32(00100000,00000000,Ti,?,?,?,?,00000000), ref: 006A136A
                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 006A1375
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 006A137C
                                                        • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 006A1382
                                                          • Part of subcall function 006A27D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUo), ref: 006A27E3
                                                          • Part of subcall function 006A27D5: RegSetValueExA.KERNELBASE(TUo,000000AF,00000000,00000004,00000001,00000004,?,?,?,0069B94C,006F60E0,00000001,000000AF,006F5554), ref: 006A27FE
                                                          • Part of subcall function 006A27D5: RegCloseKey.ADVAPI32(?,?,?,?,0069B94C,006F60E0,00000001,000000AF,006F5554), ref: 006A2809
                                                        • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 006A13B3
                                                        • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 006A140F
                                                        • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 006A1429
                                                        • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 006A143B
                                                          • Part of subcall function 006AB58F: SetFilePointer.KERNELBASE(00000000,00000000,00000000,00000002), ref: 006AB5EB
                                                          • Part of subcall function 006AB58F: WriteFile.KERNELBASE(00000000,00000000,00000000,?,00000000), ref: 006AB5FF
                                                          • Part of subcall function 006AB58F: CloseHandle.KERNELBASE(00000000), ref: 006AB60C
                                                        • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 006A1483
                                                        • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 006A14C4
                                                        • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 006A14D9
                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 006A14E4
                                                        • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 006A14EB
                                                        • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 006A14F1
                                                          • Part of subcall function 006AB58F: CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,006F5900,00000000,00000000,0069C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 006AB5CE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                        • String ID: .exe$0Dp$@Cp$Ti$WDH$exepath$open$temp_
                                                        • API String ID: 4250697656-2253918751
                                                        • Opcode ID: bb277aa2ac4edba580d83d495495343712f2ecc38d30d002955a6fa36461746f
                                                        • Instruction ID: c01c141b84af7129489f22c42c595cfd1432a16ef6ba6515e4f55fae5af504b8
                                                        • Opcode Fuzzy Hash: bb277aa2ac4edba580d83d495495343712f2ecc38d30d002955a6fa36461746f
                                                        • Instruction Fuzzy Hash: 1C51D8B1A0430A6FDF44BBA09C85EFE73AF9B46310F100159B601AB2C1EF748E468F54
                                                        Function 0069C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 006A1699: TerminateProcess.KERNEL32(00000000,pth_unenc,0069E670), ref: 006A16A9
                                                          • Part of subcall function 006A1699: WaitForSingleObject.KERNEL32(000000FF), ref: 006A16BC
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0069C38B
                                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0069C39E
                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0069C3B7
                                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0069C3E7
                                                          • Part of subcall function 0069AFBA: TerminateThread.KERNEL32(006999A9,00000000,007042F8,pth_unenc,0069BF26,007042E0,007042F8,?,pth_unenc), ref: 0069AFC9
                                                          • Part of subcall function 0069AFBA: UnhookWindowsHookEx.USER32(007040F8), ref: 0069AFD5
                                                          • Part of subcall function 0069AFBA: TerminateThread.KERNEL32(00699993,00000000,?,pth_unenc), ref: 0069AFE3
                                                          • Part of subcall function 006AB58F: CreateFileW.KERNELBASE(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,006F5900,00000000,00000000,0069C267,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 006AB5CE
                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,006F5900,006F5900,00000000), ref: 0069C632
                                                        • ExitProcess.KERNEL32 ref: 0069C63E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                        • String ID: """, 0$")$@Cp$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=p$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                        • API String ID: 1861856835-1898932457
                                                        • Opcode ID: 05abe9ccaf1894d5ced41c17bd26e85668b28caa2d6239453ac27f828caa5241
                                                        • Instruction ID: 342a0c0ac401ef301238a5f70f68423d09ef38df010f3ab45c7d983edfece111
                                                        • Opcode Fuzzy Hash: 05abe9ccaf1894d5ced41c17bd26e85668b28caa2d6239453ac27f828caa5241
                                                        • Instruction Fuzzy Hash: 2291C5312042015BCB98FB24D862AFFB7EF9F92710F50452DF586979A2DF209E09C65A
                                                        Function 0069BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 006A1699: TerminateProcess.KERNEL32(00000000,pth_unenc,0069E670), ref: 006A16A9
                                                          • Part of subcall function 006A1699: WaitForSingleObject.KERNEL32(000000FF), ref: 006A16BC
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,007042F8,?,pth_unenc), ref: 0069C013
                                                        • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0069C026
                                                        • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,007042F8,?,pth_unenc), ref: 0069C056
                                                        • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,007042F8,?,pth_unenc), ref: 0069C065
                                                          • Part of subcall function 0069AFBA: TerminateThread.KERNEL32(006999A9,00000000,007042F8,pth_unenc,0069BF26,007042E0,007042F8,?,pth_unenc), ref: 0069AFC9
                                                          • Part of subcall function 0069AFBA: UnhookWindowsHookEx.USER32(007040F8), ref: 0069AFD5
                                                          • Part of subcall function 0069AFBA: TerminateThread.KERNEL32(00699993,00000000,?,pth_unenc), ref: 0069AFE3
                                                          • Part of subcall function 006AAB38: GetCurrentProcessId.KERNEL32(00000000,76F93530,00000000,?,?,?,?,006F5900,0069C07B,.vbs,?,?,?,?,?,007042F8), ref: 006AAB5F
                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,006F5900,006F5900,00000000), ref: 0069C280
                                                        • ExitProcess.KERNEL32 ref: 0069C287
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                        • String ID: ")$.vbs$@Cp$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=p$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                        • API String ID: 3797177996-3045617738
                                                        • Opcode ID: e1b6f2160b75ef165f1c99d4a4460c19771e7fd65403de5c30851fedb21f8707
                                                        • Instruction ID: 8d3e9a9380ec52b0ce92b0022d027e43193b88e50b4e08c6b0e6b977536b165a
                                                        • Opcode Fuzzy Hash: e1b6f2160b75ef165f1c99d4a4460c19771e7fd65403de5c30851fedb21f8707
                                                        • Instruction Fuzzy Hash: 8D81C5316042415BCB59FB20EC62ABF77EF9F92700F10452DF5865BAD2EF209E09C65A
                                                        Function 006AA1BB Relevance: 40.4, APIs: 12, Strings: 11, Instructions: 180synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 006AA2B2
                                                        • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 006AA2C6
                                                        • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,006F5554), ref: 006AA2EE
                                                        • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00703EE8,00000000), ref: 006AA2FF
                                                        • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 006AA340
                                                        • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 006AA358
                                                        • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 006AA36D
                                                        • SetEvent.KERNEL32 ref: 006AA38A
                                                        • WaitForSingleObject.KERNEL32(000001F4), ref: 006AA39B
                                                        • CloseHandle.KERNEL32 ref: 006AA3AB
                                                        • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 006AA3CD
                                                        • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 006AA3D7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                        • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>p
                                                        • API String ID: 738084811-3948091392
                                                        • Opcode ID: 4c4f001321f730d1309a3a7c451c1637374f42125f86655ab2ca0d4cb3ac1352
                                                        • Instruction ID: e86d612d93c5241af7f0b4fe947d7c8211b31e47add4db1d32ea66117d872714
                                                        • Opcode Fuzzy Hash: 4c4f001321f730d1309a3a7c451c1637374f42125f86655ab2ca0d4cb3ac1352
                                                        • Instruction Fuzzy Hash: 6451E370304349AEDB54BB60DC92DBF3B9FDB92354F10052EF5428A5A2DF205D09CA6A
                                                        Function 00691BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00691C54
                                                        • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00691C7E
                                                        • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00691C8E
                                                        • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00691C9E
                                                        • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00691CAE
                                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00691CBE
                                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00691CCF
                                                        • WriteFile.KERNEL32(00000000,00701B02,00000002,00000000,00000000), ref: 00691CE0
                                                        • WriteFile.KERNEL32(00000000,00701B04,00000004,00000000,00000000), ref: 00691CF0
                                                        • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00691D00
                                                        • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00691D11
                                                        • WriteFile.KERNEL32(00000000,00701B0E,00000002,00000000,00000000), ref: 00691D22
                                                        • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00691D32
                                                        • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00691D42
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$Write$Create
                                                        • String ID: RIFF$WAVE$data$fmt
                                                        • API String ID: 1602526932-4212202414
                                                        • Opcode ID: baa79d0d02dc873fbdfb35d2197318ce5c62e50fbea04d72a9258e762663cb04
                                                        • Instruction ID: 9b9a31d9caf683b7332aa74777385b0a94c641cd8e3accc76d7be0a99da27a78
                                                        • Opcode Fuzzy Hash: baa79d0d02dc873fbdfb35d2197318ce5c62e50fbea04d72a9258e762663cb04
                                                        • Instruction Fuzzy Hash: 504160B1544318BAE210DB51DD86FBB7FECEB85B54F40051AF644DA080E764E909DBB3
                                                        Function 006964E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\IXCbn4ZcdS.exe,00000001,006968B2,C:\Users\user\Desktop\IXCbn4ZcdS.exe,00000003,006968DA,007042E0,00696933), ref: 006964F4
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006964FD
                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0069650E
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00696511
                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00696522
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00696525
                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00696536
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00696539
                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0069654A
                                                        • GetProcAddress.KERNEL32(00000000), ref: 0069654D
                                                        • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0069655E
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00696561
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: C:\Users\user\Desktop\IXCbn4ZcdS.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                        • API String ID: 1646373207-2483260684
                                                        • Opcode ID: 228ea3a21fe398dbd9d1b3bf314c7894397f16e5bd026dcc1695565fc7d5715e
                                                        • Instruction ID: bf184e84ac289e2f49457aca07b271639903f43189f68af43c6af63407529182
                                                        • Opcode Fuzzy Hash: 228ea3a21fe398dbd9d1b3bf314c7894397f16e5bd026dcc1695565fc7d5715e
                                                        • Instruction Fuzzy Hash: 780171F4E4075A65DF207B7A9CA4D676EEE9F5039034A8423B612D3261EFB8C8008D74
                                                        Function 0069BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _wcslen.LIBCMT ref: 0069BC75
                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00704358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0069BC8E
                                                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\IXCbn4ZcdS.exe,00000000,00000000,00000000,00000000,00000000,?,00704358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0069BD3E
                                                        • _wcslen.LIBCMT ref: 0069BD54
                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0069BDDC
                                                        • CopyFileW.KERNEL32(C:\Users\user\Desktop\IXCbn4ZcdS.exe,00000000,00000000), ref: 0069BDF2
                                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0069BE31
                                                        • _wcslen.LIBCMT ref: 0069BE34
                                                        • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0069BE4B
                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00704358,0000000E), ref: 0069BE9B
                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,006F5900,006F5900,00000001), ref: 0069BEB9
                                                        • ExitProcess.KERNEL32 ref: 0069BED0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                        • String ID: 6$C:\Users\user\Desktop\IXCbn4ZcdS.exe$del$open$Bp$Bp
                                                        • API String ID: 1579085052-841467277
                                                        • Opcode ID: a520835c970506930c0022ad31ddebb724594821b888ee1a9a455c21801b6c33
                                                        • Instruction ID: 33d91d8178db3e4bb746226473ac4668cc31de4fa6bccb743c1f675b2b94bddd
                                                        • Opcode Fuzzy Hash: a520835c970506930c0022ad31ddebb724594821b888ee1a9a455c21801b6c33
                                                        • Instruction Fuzzy Hash: F051C661708241ABDF98B720EC52E7F7B9F9F82750F50152CFA418AAD2DF149D05826E
                                                        Function 006AB1BB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • lstrlenW.KERNEL32(?), ref: 006AB1D6
                                                        • _memcmp.LIBVCRUNTIME ref: 006AB1EE
                                                        • lstrlenW.KERNEL32(?), ref: 006AB207
                                                        • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 006AB242
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 006AB255
                                                        • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 006AB299
                                                        • lstrcmpW.KERNEL32(?,?), ref: 006AB2B4
                                                        • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 006AB2CC
                                                        • _wcslen.LIBCMT ref: 006AB2DB
                                                        • FindVolumeClose.KERNEL32(?), ref: 006AB2FB
                                                        • GetLastError.KERNEL32 ref: 006AB313
                                                        • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 006AB340
                                                        • lstrcatW.KERNEL32(?,?), ref: 006AB359
                                                        • lstrcpyW.KERNEL32(?,?), ref: 006AB368
                                                        • GetLastError.KERNEL32 ref: 006AB370
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                        • String ID: ?
                                                        • API String ID: 3941738427-1684325040
                                                        • Opcode ID: 43e5b0922ed2bdbf59497e348197927ec18aca3c3911a8873eaadce9a6830225
                                                        • Instruction ID: 39ec7865af969e93303b19ac4c7142f830359362ee900787cde45235d596c862
                                                        • Opcode Fuzzy Hash: 43e5b0922ed2bdbf59497e348197927ec18aca3c3911a8873eaadce9a6830225
                                                        • Instruction Fuzzy Hash: 014180715083459AD720EFB1EC88AEF77EAFF46714F04192AF541C6261E770CE588B92
                                                        Function 006DE20E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$EnvironmentVariable$_wcschr
                                                        • String ID:
                                                        • API String ID: 3899193279-0
                                                        • Opcode ID: 1e5205025b76dfdaaf98c3e3f5cb4feef2896f6311f65d3e4c6ab7382b9a0533
                                                        • Instruction ID: bd3f742b74a1f97484ad80bac40e09f233cd8f460a5bcaca11bcc362b1da4f64
                                                        • Opcode Fuzzy Hash: 1e5205025b76dfdaaf98c3e3f5cb4feef2896f6311f65d3e4c6ab7382b9a0533
                                                        • Instruction Fuzzy Hash: C9D1F671D00300AFDB25BF749C81AAD7BA6AF05350F59416FF946AF381EA379A018B94
                                                        Function 006A1C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 006A1C9A
                                                          • Part of subcall function 006AAB38: GetCurrentProcessId.KERNEL32(00000000,76F93530,00000000,?,?,?,?,006F5900,0069C07B,.vbs,?,?,?,?,?,007042F8), ref: 006AAB5F
                                                          • Part of subcall function 006A76B6: CloseHandle.KERNEL32(00693AB9,?,?,00693AB9,006F5324), ref: 006A76CC
                                                          • Part of subcall function 006A76B6: CloseHandle.KERNEL32($So,?,?,00693AB9,006F5324), ref: 006A76D5
                                                        • Sleep.KERNEL32(0000000A,006F5324), ref: 006A1DEC
                                                        • Sleep.KERNEL32(0000000A,006F5324,006F5324), ref: 006A1E8E
                                                        • Sleep.KERNEL32(0000000A,006F5324,006F5324,006F5324), ref: 006A1F30
                                                        • DeleteFileW.KERNEL32(00000000,006F5324,006F5324,006F5324), ref: 006A1F91
                                                        • DeleteFileW.KERNEL32(00000000,006F5324,006F5324,006F5324), ref: 006A1FC8
                                                        • DeleteFileW.KERNEL32(00000000,006F5324,006F5324,006F5324), ref: 006A2004
                                                        • Sleep.KERNEL32(000001F4,006F5324,006F5324,006F5324), ref: 006A201E
                                                        • Sleep.KERNEL32(00000064), ref: 006A2060
                                                          • Part of subcall function 00694468: send.WS2_32(?,00000000,00000000,00000000), ref: 006944FD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                        • String ID: /stext "$HDp$HDp$>p$>p
                                                        • API String ID: 1223786279-1549595774
                                                        • Opcode ID: 9951a3008626a5ccfbc36bdee5fa9e00c63aa3ac2605f5ce8c9fbb560d8a55a1
                                                        • Instruction ID: 33beeb9cf9c59b7e1d9cebd3c74d4628216d56abd538976c7a458b33d5593e2b
                                                        • Opcode Fuzzy Hash: 9951a3008626a5ccfbc36bdee5fa9e00c63aa3ac2605f5ce8c9fbb560d8a55a1
                                                        • Instruction Fuzzy Hash: E80247315083425BCBA5FB60D461AEFB3DAAFD2700F50492DF48A4B592EF305A49C75A
                                                        Function 006E006D Relevance: 24.6, APIs: 13, Strings: 1, Instructions: 114COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • ___free_lconv_mon.LIBCMT ref: 006E00B1
                                                          • Part of subcall function 006DF2E3: _free.LIBCMT ref: 006DF300
                                                          • Part of subcall function 006DF2E3: _free.LIBCMT ref: 006DF312
                                                          • Part of subcall function 006DF2E3: _free.LIBCMT ref: 006DF324
                                                          • Part of subcall function 006DF2E3: _free.LIBCMT ref: 006DF336
                                                          • Part of subcall function 006DF2E3: _free.LIBCMT ref: 006DF348
                                                          • Part of subcall function 006DF2E3: _free.LIBCMT ref: 006DF35A
                                                          • Part of subcall function 006DF2E3: _free.LIBCMT ref: 006DF36C
                                                          • Part of subcall function 006DF2E3: _free.LIBCMT ref: 006DF37E
                                                          • Part of subcall function 006DF2E3: _free.LIBCMT ref: 006DF390
                                                          • Part of subcall function 006DF2E3: _free.LIBCMT ref: 006DF3A2
                                                          • Part of subcall function 006DF2E3: _free.LIBCMT ref: 006DF3B4
                                                          • Part of subcall function 006DF2E3: _free.LIBCMT ref: 006DF3C6
                                                          • Part of subcall function 006DF2E3: _free.LIBCMT ref: 006DF3D8
                                                        • _free.LIBCMT ref: 006E00A6
                                                          • Part of subcall function 006D6AC5: HeapFree.KERNEL32(00000000,00000000,Bp,006DFA50,?,00000000,?,00000000,Bp,006DFCF4,?,00000007,?,Bp,006E0205,?), ref: 006D6ADB
                                                          • Part of subcall function 006D6AC5: GetLastError.KERNEL32(?), ref: 006D6AED
                                                        • _free.LIBCMT ref: 006E00C8
                                                        • _free.LIBCMT ref: 006E00DD
                                                        • _free.LIBCMT ref: 006E00E8
                                                        • _free.LIBCMT ref: 006E010A
                                                        • _free.LIBCMT ref: 006E011D
                                                        • _free.LIBCMT ref: 006E012B
                                                        • _free.LIBCMT ref: 006E0136
                                                        • _free.LIBCMT ref: 006E016E
                                                        • _free.LIBCMT ref: 006E0175
                                                        • _free.LIBCMT ref: 006E0192
                                                        • _free.LIBCMT ref: 006E01AA
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                        • String ID: Bp
                                                        • API String ID: 161543041-1987823655
                                                        • Opcode ID: 497f64cc45a362a179085eafd8e9570047bd5a34b4b15bb33bcfb5851e9e142f
                                                        • Instruction ID: 5a2e66552891136ec026b8b8a2cee9ad7599955c3371eaeb2cd971251f013a03
                                                        • Opcode Fuzzy Hash: 497f64cc45a362a179085eafd8e9570047bd5a34b4b15bb33bcfb5851e9e142f
                                                        • Instruction Fuzzy Hash: 1F318331901340AFEB60AA76D845BDA73E6AF00350F19842EF489EB391DF71ADD4CB14
                                                        Function 006A3E37 Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 006A3E86
                                                        • LoadLibraryA.KERNEL32(?), ref: 006A3EC8
                                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 006A3EE8
                                                        • FreeLibrary.KERNEL32(00000000), ref: 006A3EEF
                                                        • LoadLibraryA.KERNEL32(?), ref: 006A3F27
                                                        • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 006A3F39
                                                        • FreeLibrary.KERNEL32(00000000), ref: 006A3F40
                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 006A3F4F
                                                        • FreeLibrary.KERNEL32(00000000), ref: 006A3F66
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                        • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                                                        • API String ID: 2490988753-744132762
                                                        • Opcode ID: d7a449b207ff65e868634a7e1ab8f38ddacd97cf2f0618ecda7317915d1750b8
                                                        • Instruction ID: 71fc4765638b973d5fa00ef791d4450ffa0adf379190c5c87947050c441528f5
                                                        • Opcode Fuzzy Hash: d7a449b207ff65e868634a7e1ab8f38ddacd97cf2f0618ecda7317915d1750b8
                                                        • Instruction Fuzzy Hash: A131F5B1C05329ABD720AB25DC84E9BBAEEAF85784F410A19F55497300D774DE008FE5
                                                        Function 006AB824 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 006AB846
                                                        • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 006AB88A
                                                        • RegCloseKey.ADVAPI32(?), ref: 006ABB54
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseEnumOpen
                                                        • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                                                        • API String ID: 1332880857-3714951968
                                                        • Opcode ID: e9475c7c4b3d56cd11c343e8cd491a42dc918da112e405aafef2f9df1461c522
                                                        • Instruction ID: ea5cc57c3e0b12b670336a275685967b2f506accefd7958578b20fba0cc23f96
                                                        • Opcode Fuzzy Hash: e9475c7c4b3d56cd11c343e8cd491a42dc918da112e405aafef2f9df1461c522
                                                        • Instruction Fuzzy Hash: A1816F312082459FC765EB10D851AFFB7EEAF95310F10492EF58A86591EF30AA09CB56
                                                        Function 006ACA9E Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DefWindowProcA.USER32(?,00000401,?,?), ref: 006ACAE9
                                                        • GetCursorPos.USER32(?), ref: 006ACAF8
                                                        • SetForegroundWindow.USER32(?), ref: 006ACB01
                                                        • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 006ACB1B
                                                        • Shell_NotifyIconA.SHELL32(00000002,00703B50), ref: 006ACB6C
                                                        • ExitProcess.KERNEL32 ref: 006ACB74
                                                        • CreatePopupMenu.USER32 ref: 006ACB7A
                                                        • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 006ACB8F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                        • String ID: Close
                                                        • API String ID: 1657328048-3535843008
                                                        • Opcode ID: 977afac76180d71cc252f5a8c86600308ded4d1dd7873688feb174154549b999
                                                        • Instruction ID: e7198e146dc4ae45c03e8dc94986e88acc28e5b44d7bd218fe5904c2e16d23f1
                                                        • Opcode Fuzzy Hash: 977afac76180d71cc252f5a8c86600308ded4d1dd7873688feb174154549b999
                                                        • Instruction Fuzzy Hash: 8B211D71144249FFDB06AFA4ED4EEA93E6AEB05311F149114F606980B0DBB69E11AF24
                                                        Function 006D4F3D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$Info
                                                        • String ID:
                                                        • API String ID: 2509303402-0
                                                        • Opcode ID: ab3db330edfb8088360a42d9a90ed86f766e5aa7df9c3fe94ce0ea4c4f9a6aff
                                                        • Instruction ID: 61abab9c9beab3d45c6d1e73854cf35fc850b2d2067246f1dca63841d0e6eabb
                                                        • Opcode Fuzzy Hash: ab3db330edfb8088360a42d9a90ed86f766e5aa7df9c3fe94ce0ea4c4f9a6aff
                                                        • Instruction Fuzzy Hash: 86B1AE71D00705AFDB20DFA8C881BEEBBF6BF48300F18406EF496A7742DA7599458B64
                                                        Function 00697DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00697F4C
                                                        • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00697FC2
                                                        • __aulldiv.LIBCMT ref: 00697FE9
                                                        • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0069810D
                                                        • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00698128
                                                        • CloseHandle.KERNEL32(00000000), ref: 00698200
                                                        • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0069821A
                                                        • CloseHandle.KERNEL32(00000000), ref: 00698256
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                        • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>p
                                                        • API String ID: 1884690901-242618630
                                                        • Opcode ID: e11299e2840d319d45bb06932553b06f35c751309034997722a050d4c03f15a5
                                                        • Instruction ID: 00c05ed253aebc8d9f31ddd0587e2b25ed59f74ed976fdb5ec131cc295e2b9b7
                                                        • Opcode Fuzzy Hash: e11299e2840d319d45bb06932553b06f35c751309034997722a050d4c03f15a5
                                                        • Instruction Fuzzy Hash: 89B1C2316083419FCA94FB64C891ABFB7EAAFC5310F50491DF88657691EF309A05CB9B
                                                        Function 006A9128 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 006A912D
                                                        • GdiplusStartup.GDIPLUS(00703AF0,?,00000000), ref: 006A915F
                                                        • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 006A91EB
                                                        • Sleep.KERNEL32(000003E8), ref: 006A926D
                                                        • GetLocalTime.KERNEL32(?), ref: 006A927C
                                                        • Sleep.KERNEL32(00000000,00000018,00000000), ref: 006A9365
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                        • String ID: XCp$XCp$XCp$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                        • API String ID: 489098229-2128544643
                                                        • Opcode ID: 0f55f6bd44a88dd2a9abdd53895112518ab52d73859aa4e49378bed9e9697dfc
                                                        • Instruction ID: 9b47da2d9d7d0aeb7ebd20983d267eaf0d1b4e9a2e1a9b8e34f952ac2ad7a928
                                                        • Opcode Fuzzy Hash: 0f55f6bd44a88dd2a9abdd53895112518ab52d73859aa4e49378bed9e9697dfc
                                                        • Instruction Fuzzy Hash: 55517271A0024A9ACF94BBB4CC56AFE7BAFAF52300F50016DF545AB582EE344E45C764
                                                        Function 0069C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 006A1699: TerminateProcess.KERNEL32(00000000,pth_unenc,0069E670), ref: 006A16A9
                                                          • Part of subcall function 006A1699: WaitForSingleObject.KERNEL32(000000FF), ref: 006A16BC
                                                          • Part of subcall function 006A265D: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,007042F8), ref: 006A2679
                                                          • Part of subcall function 006A265D: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 006A2692
                                                          • Part of subcall function 006A265D: RegCloseKey.KERNELBASE(00000000), ref: 006A269D
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0069C6C7
                                                        • ShellExecuteW.SHELL32(00000000,open,00000000,006F5900,006F5900,00000000), ref: 0069C826
                                                        • ExitProcess.KERNEL32 ref: 0069C832
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                        • String ID: """, 0$.vbs$@Cp$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                        • API String ID: 1913171305-3785372210
                                                        • Opcode ID: dec8b44cea30209d8664269a367d5fce2afcbbffaceee70eac7f4d08973f6872
                                                        • Instruction ID: d66641ffa8ae6a6ff9612e09cc1367058d8cb9d0529fbaf9b69801fd1c956769
                                                        • Opcode Fuzzy Hash: dec8b44cea30209d8664269a367d5fce2afcbbffaceee70eac7f4d08973f6872
                                                        • Instruction Fuzzy Hash: 60419231A001195ACF95F760DC62DFEB77FAF62710F50016DF506A7492EF206E4ACA98
                                                        Function 006DF3E1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID:
                                                        • API String ID: 269201875-0
                                                        • Opcode ID: f4358feaf1bb128252773444b0c37702ed839637fe800139cbc08651efd19b71
                                                        • Instruction ID: a8fce35251b55c4e40d1e08cf82a3b9108abda39d885cb9f5d6ede0058a39a00
                                                        • Opcode Fuzzy Hash: f4358feaf1bb128252773444b0c37702ed839637fe800139cbc08651efd19b71
                                                        • Instruction Fuzzy Hash: 59C17376E40204AFDB60DBA8CC42FEE77F9AB09700F144169FA05FB382D67099459B64
                                                        Function 006947EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00694B8E,?,?,?,00694B26), ref: 006947FD
                                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,00694B8E,?,?,?,00694B26), ref: 00694808
                                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00694B8E,?,?,?,00694B26), ref: 00694811
                                                        • closesocket.WS2_32(000000FF), ref: 0069481F
                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00694B8E,?,?,?,00694B26), ref: 00694856
                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00694867
                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0069486E
                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00694880
                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00694885
                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0069488A
                                                        • SetEvent.KERNEL32(?,?,?,?,00000000,?,00694B8E,?,?,?,00694B26), ref: 00694895
                                                        • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00694B8E,?,?,?,00694B26), ref: 0069489A
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                        • String ID:
                                                        • API String ID: 3658366068-0
                                                        • Opcode ID: 36bc6e87706d4b38d4b45e20075ad2aac43068ec3d2c82424f62479d0da998d7
                                                        • Instruction ID: 125d64ff76374581a41bd16fa877bdac15c741bef16e742b394b141ae2e75802
                                                        • Opcode Fuzzy Hash: 36bc6e87706d4b38d4b45e20075ad2aac43068ec3d2c82424f62479d0da998d7
                                                        • Instruction Fuzzy Hash: 21212C31104B449FDB226B26DC49A56BBE6EF40325B104A1DE2E616AB1CF72F852DB44
                                                        Function 006E4982 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 006E4650: CreateFileW.KERNEL32(00000000,?,?,+Jn,?,?,00000000,?,006E4A2B,00000000,0000000C), ref: 006E466D
                                                        • GetLastError.KERNEL32 ref: 006E4A96
                                                        • __dosmaperr.LIBCMT ref: 006E4A9D
                                                        • GetFileType.KERNEL32(00000000), ref: 006E4AA9
                                                        • GetLastError.KERNEL32 ref: 006E4AB3
                                                        • __dosmaperr.LIBCMT ref: 006E4ABC
                                                        • CloseHandle.KERNEL32(00000000), ref: 006E4ADC
                                                        • CloseHandle.KERNEL32(?), ref: 006E4C26
                                                        • GetLastError.KERNEL32 ref: 006E4C58
                                                        • __dosmaperr.LIBCMT ref: 006E4C5F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                        • String ID: H
                                                        • API String ID: 4237864984-2852464175
                                                        • Opcode ID: 8592197a5e29a6b4aa67b4b75d9b6240cd43d4d4476abd82e923b0a9955ab8c2
                                                        • Instruction ID: 11a3b0fde21336b86fcc337a1e59837b7fc03f2a3d47bc7be5cc7e72a693b496
                                                        • Opcode Fuzzy Hash: 8592197a5e29a6b4aa67b4b75d9b6240cd43d4d4476abd82e923b0a9955ab8c2
                                                        • Instruction Fuzzy Hash: 5BA12532A142848FCF199F78D891BAE7BA2EF06320F24025DE811AF3D1DF359912DB55
                                                        Function 006A3C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: 65535$udp
                                                        • API String ID: 0-1267037602
                                                        • Opcode ID: bd2ff734c5781b81ac1fa31ce46ff0f3e7b468bba3b5b8e9345ca5f13534ef58
                                                        • Instruction ID: dec1c34ee53913cc58f4e2575df726b882a982f7972a44e7f707e9bff5a476f2
                                                        • Opcode Fuzzy Hash: bd2ff734c5781b81ac1fa31ce46ff0f3e7b468bba3b5b8e9345ca5f13534ef58
                                                        • Instruction Fuzzy Hash: 0B410671609362EBD720BA68C945BBB77D7FF86750F08082EF85197390D764CE418E62
                                                        Function 006C9361 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00691AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 006C93B9
                                                        • GetLastError.KERNEL32(?,?,00691AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 006C93C6
                                                        • __dosmaperr.LIBCMT ref: 006C93CD
                                                        • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00691AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 006C93F9
                                                        • GetLastError.KERNEL32(?,?,?,00691AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 006C9403
                                                        • __dosmaperr.LIBCMT ref: 006C940A
                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00691AD8,?), ref: 006C944D
                                                        • GetLastError.KERNEL32(?,?,?,?,?,?,00691AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 006C9457
                                                        • __dosmaperr.LIBCMT ref: 006C945E
                                                        • _free.LIBCMT ref: 006C946A
                                                        • _free.LIBCMT ref: 006C9471
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                        • String ID:
                                                        • API String ID: 2441525078-0
                                                        • Opcode ID: e873654092829771f94e30ca1819459393aebd87dbdd0baf286c740c967b620d
                                                        • Instruction ID: fc88b0d53717c263050815a3adbc59a678a2f64e5d8201dadd6d0d8f94c6b111
                                                        • Opcode Fuzzy Hash: e873654092829771f94e30ca1819459393aebd87dbdd0baf286c740c967b620d
                                                        • Instruction Fuzzy Hash: 6D31927280424ABFCF15AFA4DC89EBE3B6AEF05360B14415DF9159A390DB318D12DBB1
                                                        Function 00694E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetEvent.KERNEL32(?,?), ref: 00694E71
                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00694F21
                                                        • TranslateMessage.USER32(?), ref: 00694F30
                                                        • DispatchMessageA.USER32(?), ref: 00694F3B
                                                        • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00703F80), ref: 00694FF3
                                                        • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0069502B
                                                          • Part of subcall function 00694468: send.WS2_32(?,00000000,00000000,00000000), ref: 006944FD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                        • String ID: CloseChat$DisplayMessage$GetMessage
                                                        • API String ID: 2956720200-749203953
                                                        • Opcode ID: fc5c9896449e46693f619fb44e83b9c243408d4284e0956822d15f602a277f90
                                                        • Instruction ID: 82691c61cc0ff6df66b12e7b4454a2a491519b388973e5caf8a2a1e1f2efd928
                                                        • Opcode Fuzzy Hash: fc5c9896449e46693f619fb44e83b9c243408d4284e0956822d15f602a277f90
                                                        • Instruction Fuzzy Hash: DC4191726043029BCB44FB74985ACAE77EFABC6710B500A1CF9028B995EF349A09C756
                                                        Function 006A6E27 Relevance: 15.9, APIs: 4, Strings: 5, Instructions: 107filesynchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,006F5554), ref: 006A6F24
                                                        • CloseHandle.KERNEL32(00000000), ref: 006A6F2D
                                                        • DeleteFileA.KERNEL32(00000000), ref: 006A6F3C
                                                        • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 006A6EF0
                                                          • Part of subcall function 00694468: send.WS2_32(?,00000000,00000000,00000000), ref: 006944FD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                        • String ID: <$@$@Fp$@Fp$Temp
                                                        • API String ID: 1107811701-378310969
                                                        • Opcode ID: cbc8435dcc04f5e73f072b6d2b5c9ba432b0af98bd047a6d3cf544926ecc1f6f
                                                        • Instruction ID: cfe2073ad32c5ae09a2fd7cd5e36fa7c34f00db7a7916ddc3c7c4b324f374765
                                                        • Opcode Fuzzy Hash: cbc8435dcc04f5e73f072b6d2b5c9ba432b0af98bd047a6d3cf544926ecc1f6f
                                                        • Instruction Fuzzy Hash: 2031683190020A9BDF84FBA0DC52AFE777BAF51300F50016CF6066A491EF741E8ACB98
                                                        Function 00696616 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 98COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCurrentProcess.KERNEL32(00704A28,00000000,Bp3ii,00003000,00000004,00000000,00000001), ref: 00696647
                                                        • GetCurrentProcess.KERNEL32(00704A28,00000000,00008000,?,00000000,00000001,00000000,006968BB,C:\Users\user\Desktop\IXCbn4ZcdS.exe), ref: 00696705
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CurrentProcess
                                                        • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir$Bp3ii
                                                        • API String ID: 2050909247-3629837502
                                                        • Opcode ID: 56a6cf88e0f0d011ca2d67d6cc66e0b22856880eef4ba6a51f385a71c0e6367e
                                                        • Instruction ID: 33d9e0fd7a428f442b8a47e643a5e1c1d7185212ff5cdc0d7fe3b2c3a4524dd6
                                                        • Opcode Fuzzy Hash: 56a6cf88e0f0d011ca2d67d6cc66e0b22856880eef4ba6a51f385a71c0e6367e
                                                        • Instruction Fuzzy Hash: 153192F1240704EFC740BBA4DC45F6A7BAEEB04712F51C61DF601966A1EB7998048B2D
                                                        Function 00437850 Relevance: 15.1, APIs: 10, Instructions: 81stringregistryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __EH_prolog.LIBCMT ref: 00437855
                                                        • GetClassInfoA.USER32(?,?,?), ref: 00437870
                                                        • RegisterClassA.USER32(?), ref: 00437883
                                                        • lstrlenA.KERNEL32(-00000034,00000001), ref: 004378BF
                                                        • lstrlenA.KERNEL32(?), ref: 004378C6
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3852697446.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000005.00000002.3852676846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3852803469.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3853277306.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3853306344.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3853306344.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3853306344.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: Classlstrlen$H_prologInfoRegister
                                                        • String ID:
                                                        • API String ID: 3690589370-0
                                                        • Opcode ID: b7666c6804b7a4e1af4ad46b385648ce39fa1e020673036b6e24608731eaa827
                                                        • Instruction ID: d06448f70216e37ad6dd6e7a27fae02cd191811b199e5e129bd5a26421677b7e
                                                        • Opcode Fuzzy Hash: b7666c6804b7a4e1af4ad46b385648ce39fa1e020673036b6e24608731eaa827
                                                        • Instruction Fuzzy Hash: 2431F7B1904109FFDF11AFA0CD05BAEBFB4FF09315F004126F845A2251C7389A11DB99
                                                        Function 006A9C85 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,006A95F8,00000000,00000000), ref: 006A9C94
                                                        • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,006A95F8,00000000,00000000), ref: 006A9CAB
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,006A95F8,00000000,00000000), ref: 006A9CB8
                                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,006A95F8,00000000,00000000), ref: 006A9CC7
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,006A95F8,00000000,00000000), ref: 006A9CD8
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,006A95F8,00000000,00000000), ref: 006A9CDB
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                        • String ID:
                                                        • API String ID: 221034970-0
                                                        • Opcode ID: 2b0d3130c9389c0c93c260705ce1452b0bcddcea947912c6d94abeb9af6ed3bc
                                                        • Instruction ID: 55ebda35be514208aeffda4bfbbda1bbad1febbd494746f3ab218298d22cf6d1
                                                        • Opcode Fuzzy Hash: 2b0d3130c9389c0c93c260705ce1452b0bcddcea947912c6d94abeb9af6ed3bc
                                                        • Instruction Fuzzy Hash: EA11E972901258BFD711B7649CC9DFF3B7EDB47364B100015F50297141DB648D46ABB0
                                                        Function 006D6DCB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 006D6DDF
                                                          • Part of subcall function 006D6AC5: HeapFree.KERNEL32(00000000,00000000,Bp,006DFA50,?,00000000,?,00000000,Bp,006DFCF4,?,00000007,?,Bp,006E0205,?), ref: 006D6ADB
                                                          • Part of subcall function 006D6AC5: GetLastError.KERNEL32(?), ref: 006D6AED
                                                        • _free.LIBCMT ref: 006D6DEB
                                                        • _free.LIBCMT ref: 006D6DF6
                                                        • _free.LIBCMT ref: 006D6E01
                                                        • _free.LIBCMT ref: 006D6E0C
                                                        • _free.LIBCMT ref: 006D6E17
                                                        • _free.LIBCMT ref: 006D6E22
                                                        • _free.LIBCMT ref: 006D6E2D
                                                        • _free.LIBCMT ref: 006D6E38
                                                        • _free.LIBCMT ref: 006D6E46
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: a1d8cd5d583ed75958ba7236a9495bac00df481653aa77f9781df448956492fa
                                                        • Instruction ID: 4ae1e97cd17a8001c1837a85b37a73720c919f7bbeff2b9058ed4a27ab945d5b
                                                        • Opcode Fuzzy Hash: a1d8cd5d583ed75958ba7236a9495bac00df481653aa77f9781df448956492fa
                                                        • Instruction Fuzzy Hash: 0E118979910108BFCB41EF54C842CDD3B66EF04350B5AC4AAF9499F222DA31DE649F44
                                                        Function 006A0314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Eventinet_ntoa
                                                        • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>p
                                                        • API String ID: 3578746661-1096372800
                                                        • Opcode ID: 75a6893aee74b5663283356ae1c7bbebcb5258a2d75f06f5464e3c90369e6e17
                                                        • Instruction ID: 35338696a77b2c3f8e957a77c78f0afd63ba2b7ec88599fee39aec4b483df4cd
                                                        • Opcode Fuzzy Hash: 75a6893aee74b5663283356ae1c7bbebcb5258a2d75f06f5464e3c90369e6e17
                                                        • Instruction Fuzzy Hash: 1151F731B043059BDB44FB74C956A7E36EB9F86300F90461DF9068B6D2DF249D09CB9A
                                                        Function 006E5139 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,006E5DAF), ref: 006E515C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DecodePointer
                                                        • String ID: acos$asin$exp$log$log10$pow$sqrt
                                                        • API String ID: 3527080286-3064271455
                                                        • Opcode ID: ad8d54bf5cd56b104691f5853e9b762a54c95808e00f553787a62c72f289b243
                                                        • Instruction ID: 0b4f5e8949b948099cecb71078bb8c2d63a09eecc1736bd85e8c469f019ca559
                                                        • Opcode Fuzzy Hash: ad8d54bf5cd56b104691f5853e9b762a54c95808e00f553787a62c72f289b243
                                                        • Instruction Fuzzy Hash: A4517D70902B89CFCF14DF6AD9481ECBFB2FF08348F240285D542AA254DB768A15CB19
                                                        Function 006A65FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 006A665C
                                                          • Part of subcall function 006AB61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00699F65), ref: 006AB633
                                                        • Sleep.KERNEL32(00000064), ref: 006A6688
                                                        • DeleteFileW.KERNEL32(00000000), ref: 006A66BC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CreateDeleteExecuteShellSleep
                                                        • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                        • API String ID: 1462127192-2001430897
                                                        • Opcode ID: b874e26919757821e8f9a96261e0bdcb1c5677fe0501c7807e0c1ec15a91a1a2
                                                        • Instruction ID: 4d02e416c00aa6d192516865ed24f47aa51a9c37da3d23f0afe9ff064a5ca1a3
                                                        • Opcode Fuzzy Hash: b874e26919757821e8f9a96261e0bdcb1c5677fe0501c7807e0c1ec15a91a1a2
                                                        • Instruction Fuzzy Hash: E33184719001199ADF94FBA0DCA2EFE777EAF11700F10111DF9066B5D2EF605E4ACA98
                                                        Function 00691A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _strftime.LIBCMT ref: 00691AD3
                                                          • Part of subcall function 00691BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00691C54
                                                        • waveInUnprepareHeader.WINMM(00701AC0,00000020,00000000,?), ref: 00691B85
                                                        • waveInPrepareHeader.WINMM(00701AC0,00000020), ref: 00691BC3
                                                        • waveInAddBuffer.WINMM(00701AC0,00000020), ref: 00691BD2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                        • String ID: %Y-%m-%d %H.%M$.wav$`=p$x=p
                                                        • API String ID: 3809562944-1922661968
                                                        • Opcode ID: b8a5b8c43e8809ad6a2deb378b6158dde86adb0aa05196fc3e78d75354ad5e95
                                                        • Instruction ID: 90302e66f5ec4113cf8e2a6b376ecc255b12727bc642201a058d564ba8273e7f
                                                        • Opcode Fuzzy Hash: b8a5b8c43e8809ad6a2deb378b6158dde86adb0aa05196fc3e78d75354ad5e95
                                                        • Instruction Fuzzy Hash: 31310471604302DBCB54FB20DC52EAE37EAFB41310F50852DF146865E1EF345A09CB4A
                                                        Function 0069196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0069197B
                                                        • waveInOpen.WINMM(00701AF8,000000FF,00701B00,Function_00001A8E,00000000,00000000,00000024), ref: 00691A11
                                                        • waveInPrepareHeader.WINMM(00701AC0,00000020,00000000), ref: 00691A66
                                                        • waveInAddBuffer.WINMM(00701AC0,00000020), ref: 00691A75
                                                        • waveInStart.WINMM ref: 00691A81
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                        • String ID: XCp$`=p$x=p
                                                        • API String ID: 1356121797-3560381965
                                                        • Opcode ID: 412ae1c4d252c7944f6b58f6c2c979ae9db868ad621c9f4ddb4c1c6a9d7f7d70
                                                        • Instruction ID: 7d71e4e3975586fde361fc3b2f42c25234ed4b89c556ff142b5726e762e5516f
                                                        • Opcode Fuzzy Hash: 412ae1c4d252c7944f6b58f6c2c979ae9db868ad621c9f4ddb4c1c6a9d7f7d70
                                                        • Instruction Fuzzy Hash: A72139B1701241DBC7059FA5AD19D2A7BEAEB85751B80D32EF105CA6B0EF7C4801CB0C
                                                        Function 006DFCDB Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 65COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 006DFA22: _free.LIBCMT ref: 006DFA4B
                                                        • _free.LIBCMT ref: 006DFD29
                                                          • Part of subcall function 006D6AC5: HeapFree.KERNEL32(00000000,00000000,Bp,006DFA50,?,00000000,?,00000000,Bp,006DFCF4,?,00000007,?,Bp,006E0205,?), ref: 006D6ADB
                                                          • Part of subcall function 006D6AC5: GetLastError.KERNEL32(?), ref: 006D6AED
                                                        • _free.LIBCMT ref: 006DFD34
                                                        • _free.LIBCMT ref: 006DFD3F
                                                        • _free.LIBCMT ref: 006DFD93
                                                        • _free.LIBCMT ref: 006DFD9E
                                                        • _free.LIBCMT ref: 006DFDA9
                                                        • _free.LIBCMT ref: 006DFDB4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID: Bp
                                                        • API String ID: 776569668-1987823655
                                                        • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                        • Instruction ID: 1ba9bb4b88d27d70f4c0d7f2fe615008188529da0119ec8382d57e4b6cb42ae2
                                                        • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                        • Instruction Fuzzy Hash: 09115E31E51704F6E570BBB1CC06FCB77DE9F04700F884C2EB69F66252E626A5154654
                                                        Function 006AC96F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 006AC988
                                                          • Part of subcall function 006ACA1F: RegisterClassExA.USER32(00000030), ref: 006ACA6C
                                                          • Part of subcall function 006ACA1F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 006ACA87
                                                          • Part of subcall function 006ACA1F: GetLastError.KERNEL32 ref: 006ACA91
                                                        • ExtractIconA.SHELL32(00000000,?,00000000), ref: 006AC9BF
                                                        • lstrcpynA.KERNEL32(00703B68,Remcos,00000080), ref: 006AC9D9
                                                        • Shell_NotifyIconA.SHELL32(00000000,00703B50), ref: 006AC9EF
                                                        • TranslateMessage.USER32(?), ref: 006AC9FB
                                                        • DispatchMessageA.USER32(?), ref: 006ACA05
                                                        • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 006ACA12
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                        • String ID: Remcos
                                                        • API String ID: 1970332568-165870891
                                                        • Opcode ID: 3b258c568782d64d68deef80e4202be479ceea02f84cef2abfc5aa8d0dc59100
                                                        • Instruction ID: d63aba0072a4877ae1a9859df9e58bfeab1d91808dad7e237fb7c15c7730620e
                                                        • Opcode Fuzzy Hash: 3b258c568782d64d68deef80e4202be479ceea02f84cef2abfc5aa8d0dc59100
                                                        • Instruction Fuzzy Hash: F5012DF2504388EBD710AFA5EC4CEDB7BBDAB85B08F005119F601D60A0DBBC9545CB64
                                                        Function 006DB450 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 0cb31807ed5a22e8cd44428e32eae71ffeba597fce20b4825e8833b4f38519b6
                                                        • Instruction ID: 9464112501491931f8b3a2a2b0e2b56b3282e8e035fa8c181cfa1ed533961d55
                                                        • Opcode Fuzzy Hash: 0cb31807ed5a22e8cd44428e32eae71ffeba597fce20b4825e8833b4f38519b6
                                                        • Instruction Fuzzy Hash: 7EC1F570E04289DFCF11DFA8C841BEDBBB2BF4A310F1A519AE414AB396C7749941CB64
                                                        Function 006E2B2A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,006E2E03,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 006E2BD6
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,006E2E03,00000000,00000000,?,00000001,?,?,?,?), ref: 006E2C59
                                                        • __alloca_probe_16.LIBCMT ref: 006E2C91
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,006E2E03,?,006E2E03,00000000,00000000,?,00000001,?,?,?,?), ref: 006E2CEC
                                                        • __alloca_probe_16.LIBCMT ref: 006E2D3B
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,006E2E03,00000000,00000000,?,00000001,?,?,?,?), ref: 006E2D03
                                                          • Part of subcall function 006D6AFF: HeapAlloc.KERNEL32(00000000,?,00000000,Bp,006C3627,?,?,00692BE9,?,00692F1C,00000000,Bp,006984A8,?,?,007042E0), ref: 006D6B31
                                                        • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,006E2E03,00000000,00000000,?,00000001,?,?,?,?), ref: 006E2D7F
                                                        • __freea.LIBCMT ref: 006E2DAA
                                                        • __freea.LIBCMT ref: 006E2DB6
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocHeapInfo
                                                        • String ID:
                                                        • API String ID: 3256262068-0
                                                        • Opcode ID: fc47dc2d5db094bebaa96b8ccca7848bcc937b1bad23997e8ade44a9fe3ee443
                                                        • Instruction ID: f2bf22b82f1ad89a9c7e4b9785878fd70faefd214c5a350b360b0f7b618a2413
                                                        • Opcode Fuzzy Hash: fc47dc2d5db094bebaa96b8ccca7848bcc937b1bad23997e8ade44a9fe3ee443
                                                        • Instruction Fuzzy Hash: 5F91B072E123979ADB248E66CCA1EEE7BAFAF08714F180559E905EB241D724DC4187A0
                                                        Function 006D43F9 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 006D6EBF: GetLastError.KERNEL32(?,00000000,006D0A45,?,006AAB73,-00705D4C,?,?,?,?,006F5900,0069C07B,.vbs), ref: 006D6EC3
                                                          • Part of subcall function 006D6EBF: _free.LIBCMT ref: 006D6EF6
                                                          • Part of subcall function 006D6EBF: SetLastError.KERNEL32(00000000,?,006AAB73,-00705D4C,?,?,?,?,006F5900,0069C07B,.vbs), ref: 006D6F37
                                                          • Part of subcall function 006D6EBF: _abort.LIBCMT ref: 006D6F3D
                                                        • _memcmp.LIBVCRUNTIME ref: 006D46A3
                                                        • _free.LIBCMT ref: 006D4714
                                                        • _free.LIBCMT ref: 006D472D
                                                        • _free.LIBCMT ref: 006D475F
                                                        • _free.LIBCMT ref: 006D4768
                                                        • _free.LIBCMT ref: 006D4774
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorLast$_abort_memcmp
                                                        • String ID: C
                                                        • API String ID: 1679612858-1037565863
                                                        • Opcode ID: 6ae5174dfcf002646a730e277e38f2aaf59a92cd9b384e8ecb93de5db9e60914
                                                        • Instruction ID: ea636cbc16296b509ef9c96afd0751846153ae6dbb3f21915e288e0520a069a6
                                                        • Opcode Fuzzy Hash: 6ae5174dfcf002646a730e277e38f2aaf59a92cd9b384e8ecb93de5db9e60914
                                                        • Instruction Fuzzy Hash: 1BB11975E012199BDB24DF18C884BADB7B6FF48314F1485AEE84AA7350DB31AE90CF44
                                                        Function 006A39C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: tcp$udp
                                                        • API String ID: 0-3725065008
                                                        • Opcode ID: 18eba8c1c432a695c57a7e5ee775e638ae5bef78e12fadc4054eb5983f5137b5
                                                        • Instruction ID: 1da447d138628ad860a8bd9f28026c9355c35e20107b6b46f45b70350e8fa55e
                                                        • Opcode Fuzzy Hash: 18eba8c1c432a695c57a7e5ee775e638ae5bef78e12fadc4054eb5983f5137b5
                                                        • Instruction Fuzzy Hash: AF71BC306083328FDB24EF58888476BB6E6AF96754F10042EF986A7351D775CE45CFA2
                                                        Function 00691768 Relevance: 12.4, APIs: 3, Strings: 4, Instructions: 142threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ExitThread.KERNEL32 ref: 006917F4
                                                          • Part of subcall function 006C3519: EnterCriticalSection.KERNEL32(00700D18,?,00705D2C,?,0069AE8B,00705D2C,?,00000000,00000000), ref: 006C3524
                                                          • Part of subcall function 006C3519: LeaveCriticalSection.KERNEL32(00700D18,?,0069AE8B,00705D2C,?,00000000,00000000), ref: 006C3561
                                                        • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00703EE8,00000000), ref: 00691902
                                                          • Part of subcall function 006C38A5: __onexit.LIBCMT ref: 006C38AB
                                                        • __Init_thread_footer.LIBCMT ref: 006917BC
                                                          • Part of subcall function 006C34CF: EnterCriticalSection.KERNEL32(00700D18,00705D2C,?,0069AEAC,00705D2C,006E6D97,?,00000000,00000000), ref: 006C34D9
                                                          • Part of subcall function 006C34CF: LeaveCriticalSection.KERNEL32(00700D18,?,0069AEAC,00705D2C,006E6D97,?,00000000,00000000), ref: 006C350C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                        • String ID: T=p$p[p$>p$>p
                                                        • API String ID: 1596592924-614992033
                                                        • Opcode ID: 2dc0c22c6af8143d8603ffc9721ad400e895c5a5d3a7f0839c7937f367ef6a80
                                                        • Instruction ID: 06741355aa69c28e8925dbc2051c1bf2f49c10394286d74e2aa74b82a2dbb9bc
                                                        • Opcode Fuzzy Hash: 2dc0c22c6af8143d8603ffc9721ad400e895c5a5d3a7f0839c7937f367ef6a80
                                                        • Instruction Fuzzy Hash: B641C6712042029BCF54FB64DCA6EBF739EEB91310F50462DF4469A6E2DF345A06CB19
                                                        Function 00696BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,006F5454,?,?,00000000,00697273,00000000,?,0000000A,00000000), ref: 00696C38
                                                        • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00697273,00000000,?,0000000A,00000000), ref: 00696C80
                                                          • Part of subcall function 00694468: send.WS2_32(?,00000000,00000000,00000000), ref: 006944FD
                                                        • CloseHandle.KERNEL32(00000000,?,?,00000000,00697273,00000000,?,0000000A,00000000,00000000), ref: 00696CC0
                                                        • MoveFileW.KERNEL32(00000000,00000000), ref: 00696CDD
                                                        • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00696D08
                                                        • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00696D18
                                                          • Part of subcall function 0069455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0069460E,00000000,?,?), ref: 0069456A
                                                          • Part of subcall function 0069455B: SetEvent.KERNEL32(?,?,?,0069460E,00000000,?,?), ref: 00694588
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                        • String ID: .part
                                                        • API String ID: 1303771098-3499674018
                                                        • Opcode ID: 5fc4717fdeadee8fb4bc34b1cf81d1a3b77f7298ea943a2f8883859ff6e7c1b9
                                                        • Instruction ID: 651a79cdbe670306da9021e45c612c7ba8dddc80814333458a240a003b6ede03
                                                        • Opcode Fuzzy Hash: 5fc4717fdeadee8fb4bc34b1cf81d1a3b77f7298ea943a2f8883859ff6e7c1b9
                                                        • Instruction Fuzzy Hash: E131AB715083459FCB50EB20DD859ABB7EEFB85701F00491EF98196651DF30AE48CBA6
                                                        Function 006AA81D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 006A2584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 006A25A6
                                                          • Part of subcall function 006A2584: RegQueryValueExW.ADVAPI32(?,0069E0BA,00000000,00000000,?,00000400), ref: 006A25C5
                                                          • Part of subcall function 006A2584: RegCloseKey.ADVAPI32(?), ref: 006A25CE
                                                          • Part of subcall function 006AB15B: GetCurrentProcess.KERNEL32(?,?,?,0069C914,WinDir,00000000,00000000), ref: 006AB16C
                                                        • _wcslen.LIBCMT ref: 006AA8F6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                                                        • String ID: .exe$:i$XCp$http\shell\open\command$program files (x86)\$program files\
                                                        • API String ID: 37874593-269515865
                                                        • Opcode ID: e8476dccdc42f1017867e767aad5a523c339fe4f43fa7fc12f05b8f068257b24
                                                        • Instruction ID: adcda0695d474bd0f92c4ec634c2d69e33b91a1ad6f2de1f92932ad9b2404884
                                                        • Opcode Fuzzy Hash: e8476dccdc42f1017867e767aad5a523c339fe4f43fa7fc12f05b8f068257b24
                                                        • Instruction Fuzzy Hash: 1D218372B001086BDF58BBB88C96DBE366F9B46314F15153EF402A7282EE219D198668
                                                        Function 006D9950 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,006CD564,006CD564,?,?,?,006D9BA1,00000001,00000001,1AE85006), ref: 006D99AA
                                                        • __alloca_probe_16.LIBCMT ref: 006D99E2
                                                        • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,006D9BA1,00000001,00000001,1AE85006,?,?,?), ref: 006D9A30
                                                        • __alloca_probe_16.LIBCMT ref: 006D9AC7
                                                        • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 006D9B2A
                                                        • __freea.LIBCMT ref: 006D9B37
                                                          • Part of subcall function 006D6AFF: HeapAlloc.KERNEL32(00000000,?,00000000,Bp,006C3627,?,?,00692BE9,?,00692F1C,00000000,Bp,006984A8,?,?,007042E0), ref: 006D6B31
                                                        • __freea.LIBCMT ref: 006D9B40
                                                        • __freea.LIBCMT ref: 006D9B65
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocHeap
                                                        • String ID:
                                                        • API String ID: 2597970681-0
                                                        • Opcode ID: 07b309c3e3e5d3a6e8fd475d162f140f9258d00dda81ef24916d2a4ba57d1e45
                                                        • Instruction ID: 5f5674b76554d8386e7d38a2109e56d9763ac6a50ceba6e8b6dd03fd84fc4969
                                                        • Opcode Fuzzy Hash: 07b309c3e3e5d3a6e8fd475d162f140f9258d00dda81ef24916d2a4ba57d1e45
                                                        • Instruction Fuzzy Hash: AD51AE72E10216AFEB259E64DC81EFB77ABEB44750F19462EFC05DA340EB74DC4186A0
                                                        Function 006A8ABE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SendInput.USER32 ref: 006A8B08
                                                        • SendInput.USER32(00000001,?,0000001C), ref: 006A8B30
                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 006A8B57
                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 006A8B75
                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 006A8B95
                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 006A8BBA
                                                        • SendInput.USER32(00000001,0000001C,0000001C), ref: 006A8BDC
                                                        • SendInput.USER32(00000001,?,0000001C), ref: 006A8BFF
                                                          • Part of subcall function 006A8AB1: MapVirtualKeyA.USER32(00000000,00000000), ref: 006A8AB7
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InputSend$Virtual
                                                        • String ID:
                                                        • API String ID: 1167301434-0
                                                        • Opcode ID: bd0265cf4a715d527210f01bd63a3d494ec278a1d6caf7d09368a83650ec7525
                                                        • Instruction ID: 77c5741ca041d7650a9efa0451cbf110dfe6121781730b67bc4cf36d9458cc0f
                                                        • Opcode Fuzzy Hash: bd0265cf4a715d527210f01bd63a3d494ec278a1d6caf7d09368a83650ec7525
                                                        • Instruction Fuzzy Hash: A731A471248349A9E310EF65D845F9FFBECAF86B40F04080FB58457291DAA0CD4C8BA7
                                                        Function 006A5A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenClipboard.USER32 ref: 006A5A46
                                                        • EmptyClipboard.USER32 ref: 006A5A54
                                                        • CloseClipboard.USER32 ref: 006A5A5A
                                                        • OpenClipboard.USER32 ref: 006A5A61
                                                        • GetClipboardData.USER32(0000000D), ref: 006A5A71
                                                        • GlobalLock.KERNEL32(00000000), ref: 006A5A7A
                                                        • GlobalUnlock.KERNEL32(00000000), ref: 006A5A83
                                                        • CloseClipboard.USER32 ref: 006A5A89
                                                          • Part of subcall function 00694468: send.WS2_32(?,00000000,00000000,00000000), ref: 006944FD
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                        • String ID:
                                                        • API String ID: 2172192267-0
                                                        • Opcode ID: 9ccb9f327a5013774ceefd35b281cb58be1587b1cb0d55ad545f7f168674379a
                                                        • Instruction ID: ed650107c5841d5974c9500d630345947b04342e978c77e4cba3554e0744ffbc
                                                        • Opcode Fuzzy Hash: 9ccb9f327a5013774ceefd35b281cb58be1587b1cb0d55ad545f7f168674379a
                                                        • Instruction Fuzzy Hash: C101B9312043408FCB54BB74DC9AAAE7BABAFD1701F44152DFD078A561DF304D059A55
                                                        Function 006D7E3A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 006D7EBC
                                                        • _free.LIBCMT ref: 006D7EE0
                                                        • _free.LIBCMT ref: 006D8067
                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,006ED478), ref: 006D8079
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0070179C,000000FF,00000000,0000003F,00000000,?,?), ref: 006D80F1
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,007017F0,000000FF,?,0000003F,00000000,?), ref: 006D811E
                                                        • _free.LIBCMT ref: 006D8233
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                        • String ID:
                                                        • API String ID: 314583886-0
                                                        • Opcode ID: ff03486662bbbd63aede809a0339ea350b2ea2c98859a44b4680f4a800a1a98d
                                                        • Instruction ID: 817c548bf452b8b34201b7c9f0d97f4720ab5829edcb29e19c061168dbe4aa75
                                                        • Opcode Fuzzy Hash: ff03486662bbbd63aede809a0339ea350b2ea2c98859a44b4680f4a800a1a98d
                                                        • Instruction Fuzzy Hash: 00C10371D08245AFDB209F688C45AEEBBBBEF41310F28419FE48597391EB309E46C795
                                                        Function 006DF806 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID:
                                                        • API String ID: 269201875-0
                                                        • Opcode ID: 00aaa4a8353f37c02380edc41c69a1d176459d93f0cc766a8806173c4c5a67e6
                                                        • Instruction ID: a93476991be614cc4e9a458ec2fde56310b0f26e580b304c31197a50d01f1461
                                                        • Opcode Fuzzy Hash: 00aaa4a8353f37c02380edc41c69a1d176459d93f0cc766a8806173c4c5a67e6
                                                        • Instruction Fuzzy Hash: CD61AF75D00205AFDB60DF68C841BAEBBF6AB45720F24417BF986EB341DB309D419B94
                                                        Function 006D3F7B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 006D6AFF: HeapAlloc.KERNEL32(00000000,?,00000000,Bp,006C3627,?,?,00692BE9,?,00692F1C,00000000,Bp,006984A8,?,?,007042E0), ref: 006D6B31
                                                        • _free.LIBCMT ref: 006D4086
                                                        • _free.LIBCMT ref: 006D409D
                                                        • _free.LIBCMT ref: 006D40BC
                                                        • _free.LIBCMT ref: 006D40D7
                                                        • _free.LIBCMT ref: 006D40EE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$AllocHeap
                                                        • String ID: J7m
                                                        • API String ID: 1835388192-558394581
                                                        • Opcode ID: 8f20c99115e8e8baba025e69dda6451f2ffca1478e13dc26c55db8ef23fe778f
                                                        • Instruction ID: 4533405cf47dd1bc3b5206306e53ea3c9103e52f509f0fdb0c5d9a420a135ea5
                                                        • Opcode Fuzzy Hash: 8f20c99115e8e8baba025e69dda6451f2ffca1478e13dc26c55db8ef23fe778f
                                                        • Instruction Fuzzy Hash: 2E51AF31E00308ABDB21DF69DC81AAA77F6EF54720B14456EE909DB390EB31ED118B84
                                                        Function 006DA0C3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,006DA838,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 006DA105
                                                        • __fassign.LIBCMT ref: 006DA180
                                                        • __fassign.LIBCMT ref: 006DA19B
                                                        • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 006DA1C1
                                                        • WriteFile.KERNEL32(?,FF8BC35D,00000000,006DA838,00000000,?,?,?,?,?,?,?,?,?,006DA838,?), ref: 006DA1E0
                                                        • WriteFile.KERNEL32(?,?,00000001,006DA838,00000000,?,?,?,?,?,?,?,?,?,006DA838,?), ref: 006DA219
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                        • String ID:
                                                        • API String ID: 1324828854-0
                                                        • Opcode ID: 76e01d5a2e600d6b6ec1f852760ed67d841a7aab7b9ef4d25dbf77176a268158
                                                        • Instruction ID: dce3d51122f7fa45b861e06909014985f6808655a829217ff41453d7bff8c15c
                                                        • Opcode Fuzzy Hash: 76e01d5a2e600d6b6ec1f852760ed67d841a7aab7b9ef4d25dbf77176a268158
                                                        • Instruction Fuzzy Hash: 6151A170D042499FCB10CFE8DC85AEEBBBAEF09310F18415BE955E7391D6719A41CBA1
                                                        Function 006E59CA Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID: Hn$Hn
                                                        • API String ID: 269201875-350835424
                                                        • Opcode ID: a4953879d9a37849b2d038b970ac8651238a81e2e7d5a447cadf41463cc6f464
                                                        • Instruction ID: a21802e7ff0734e719b2fd674737e6bfebde7d39fc90b4afe6721815016aa0ff
                                                        • Opcode Fuzzy Hash: a4953879d9a37849b2d038b970ac8651238a81e2e7d5a447cadf41463cc6f464
                                                        • Instruction Fuzzy Hash: D1416D31E01B80ABDB246BBE8CC5AAE3A67DF01374F14032AF41A9A391E670480046A2
                                                        Function 006A2C88 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 006A2CC1
                                                          • Part of subcall function 006A29AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 006A2A1D
                                                          • Part of subcall function 006A29AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 006A2A4C
                                                          • Part of subcall function 00694468: send.WS2_32(?,00000000,00000000,00000000), ref: 006944FD
                                                        • RegCloseKey.ADVAPI32(TUoTUo,006F5554,006F5554,006F5900,006F5900,00000071), ref: 006A2E31
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseEnumInfoOpenQuerysend
                                                        • String ID: TUoTUo$>p$Dp$Dp
                                                        • API String ID: 3114080316-1707598390
                                                        • Opcode ID: 6f39c3e0567661b16bbd749df06b7f9b98b65a2a2937bc0e051eb8bd451ec60a
                                                        • Instruction ID: 6b152d927425e92fd4b825a0230f16acf36e1a36a4a25cabcf1707692056e371
                                                        • Opcode Fuzzy Hash: 6f39c3e0567661b16bbd749df06b7f9b98b65a2a2937bc0e051eb8bd451ec60a
                                                        • Instruction Fuzzy Hash: A74126716042419BC664F724DC62EBF77DBAF91700F50442DF94B5B6D2EE204E0A866A
                                                        Function 006C7A80 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _ValidateLocalCookies.LIBCMT ref: 006C7AAB
                                                        • ___except_validate_context_record.LIBVCRUNTIME ref: 006C7AB3
                                                        • _ValidateLocalCookies.LIBCMT ref: 006C7B41
                                                        • __IsNonwritableInCurrentImage.LIBCMT ref: 006C7B6C
                                                        • _ValidateLocalCookies.LIBCMT ref: 006C7BC1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                        • String ID: csm
                                                        • API String ID: 1170836740-1018135373
                                                        • Opcode ID: 725d28f8d4706b3873f2cecfc925440781f701e57dd073c0ce1847e144c0fa22
                                                        • Instruction ID: 7dcf3a9dbf35f41d992555983769250d0f6974e824624a679290f1902f899bd2
                                                        • Opcode Fuzzy Hash: 725d28f8d4706b3873f2cecfc925440781f701e57dd073c0ce1847e144c0fa22
                                                        • Instruction Fuzzy Hash: 7E418C34A04209DBCB10DF69C885FAEBBB6EF44324F14819DE8159B392DB31AE51CF90
                                                        Function 0069B6EA Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 85COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 006A2513: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 006A2537
                                                          • Part of subcall function 006A2513: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 006A2554
                                                          • Part of subcall function 006A2513: RegCloseKey.KERNELBASE(?), ref: 006A255F
                                                        • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0069B76C
                                                        • PathFileExistsA.SHLWAPI(?), ref: 0069B779
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                        • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                                                        • API String ID: 1133728706-4073444585
                                                        • Opcode ID: e813aea506fe41391aa8e9f0764859a364cf31b8354fdc61dbff4c02930ad32e
                                                        • Instruction ID: c5589f22f8d316ff9e993980a3c64fcfd719c2d939d56bcf135b96c1e9a03cdc
                                                        • Opcode Fuzzy Hash: e813aea506fe41391aa8e9f0764859a364cf31b8354fdc61dbff4c02930ad32e
                                                        • Instruction Fuzzy Hash: 30218E3190010966CF40F7F0DD668FE776FAE92310F50111DF9025A582EF605A09C799
                                                        Function 006E5903 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: b10f0b0181d48662a4ed1747ec891113ef82cda925187033699cb16ebb843eef
                                                        • Instruction ID: 9310299ca4c798f9c16d4d58a8434b3d3c6697098914648777d1905cbf5f96d2
                                                        • Opcode Fuzzy Hash: b10f0b0181d48662a4ed1747ec891113ef82cda925187033699cb16ebb843eef
                                                        • Instruction Fuzzy Hash: BD11D53190A7D5EFCB602FB69C48EAB3A5FEF81374711011DF8168B341EA30890196A0
                                                        Function 0069FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0069FBFC
                                                        • int.LIBCPMT ref: 0069FC0F
                                                          • Part of subcall function 0069CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0069CEF1
                                                          • Part of subcall function 0069CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0069CF0B
                                                        • std::_Facet_Register.LIBCPMT ref: 0069FC4B
                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0069FC71
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0069FC8D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                        • String ID: P[p
                                                        • API String ID: 2536120697-2595684865
                                                        • Opcode ID: 4028e96105593e87b09a6f09480719c77579285e10841e3184ff83b2209f3735
                                                        • Instruction ID: a62436d250274877dbfb198a32bbaa24cdca6ebdd97cd48bc31d09f960d7838a
                                                        • Opcode Fuzzy Hash: 4028e96105593e87b09a6f09480719c77579285e10841e3184ff83b2209f3735
                                                        • Instruction Fuzzy Hash: 5F11C032900518E6CF04FBA4D856EEEB76ADF40360B21406DF905A3281EF24AF06CB99
                                                        Function 00696815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\IXCbn4ZcdS.exe), ref: 00696835
                                                          • Part of subcall function 00696764: _wcslen.LIBCMT ref: 00696788
                                                          • Part of subcall function 00696764: CoGetObject.OLE32(?,00000024,006F59B0,00000000), ref: 006967E9
                                                        • CoUninitialize.OLE32 ref: 0069688E
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: InitializeObjectUninitialize_wcslen
                                                        • String ID: C:\Users\user\Desktop\IXCbn4ZcdS.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                        • API String ID: 3851391207-487002605
                                                        • Opcode ID: cb94aca49620de1797a154f530cb5b35fc9160e3bcb9b9d82c0cfa79f62aaa12
                                                        • Instruction ID: 6d9b890135884ad1f82d8066198c92b5ad2ac5f574c89347f06913f3a0b193f2
                                                        • Opcode Fuzzy Hash: cb94aca49620de1797a154f530cb5b35fc9160e3bcb9b9d82c0cfa79f62aaa12
                                                        • Instruction Fuzzy Hash: 7401F1723003147FE7286B50DC4AF7B379EDF41BA5F21012EF6418A580EA91AC004A72
                                                        Function 0069FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0069FEDF
                                                        • int.LIBCPMT ref: 0069FEF2
                                                          • Part of subcall function 0069CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0069CEF1
                                                          • Part of subcall function 0069CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0069CF0B
                                                        • std::_Facet_Register.LIBCPMT ref: 0069FF2E
                                                        • std::_Lockit::~_Lockit.LIBCPMT ref: 0069FF54
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0069FF70
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                        • String ID: H]p
                                                        • API String ID: 2536120697-3738720079
                                                        • Opcode ID: 6175e51583df155cf95cb337446d929a62e7adfaced414a90d9d917eb6cf2d39
                                                        • Instruction ID: 2492def3ffb79a765791efd693704a4b89016e55dfe0af2042849efc559525d1
                                                        • Opcode Fuzzy Hash: 6175e51583df155cf95cb337446d929a62e7adfaced414a90d9d917eb6cf2d39
                                                        • Instruction Fuzzy Hash: AB11CE31900518ABCF04FBA4C856DEEB76B9E81324B21406DF506A7281EF34AF06CB88
                                                        Function 0069B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0069B2E4
                                                        • GetLastError.KERNEL32 ref: 0069B2EE
                                                        Strings
                                                        • UserProfile, xrefs: 0069B2B4
                                                        • [Chrome Cookies found, cleared!], xrefs: 0069B314
                                                        • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0069B2AF
                                                        • [Chrome Cookies not found], xrefs: 0069B308
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DeleteErrorFileLast
                                                        • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                        • API String ID: 2018770650-304995407
                                                        • Opcode ID: 7c8b3a862cb46f4c4f0f6d2dc9b1df39a1e2a158ccb6155fcf49fdb539dffbe5
                                                        • Instruction ID: 5d84aa6ab3a22ecc6030af325c359d3d2527ebeb2d660bd5395fa31f097bc5b5
                                                        • Opcode Fuzzy Hash: 7c8b3a862cb46f4c4f0f6d2dc9b1df39a1e2a158ccb6155fcf49fdb539dffbe5
                                                        • Instruction Fuzzy Hash: 4501D63164010D9B8F44BBB4EE6B8BE362FAD52704B50110DF6035A992EE119F058685
                                                        Function 006ABEB0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 47memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • AllocConsole.KERNEL32(00704358), ref: 006ABEB9
                                                        • ShowWindow.USER32(00000000,00000000), ref: 006ABED2
                                                        • SetConsoleOutputCP.KERNEL32(000004E4), ref: 006ABEF7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Console$AllocOutputShowWindow
                                                        • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                        • API String ID: 2425139147-2527699604
                                                        • Opcode ID: 64164432dcc0557f39ef6e58ae2f35d3f068deb24359dd710407c0c0e9bb1365
                                                        • Instruction ID: 6aa43adc14f50d3aa2c3ffb00f30f0c834d6cc666b57b582bed8084094b30d86
                                                        • Opcode Fuzzy Hash: 64164432dcc0557f39ef6e58ae2f35d3f068deb24359dd710407c0c0e9bb1365
                                                        • Instruction Fuzzy Hash: FD0167B1E8034CBBDB40FBF0DD4BFDD37AF6B14700F5014167704A7182DAA595044A29
                                                        Function 006964D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                        Download Yara Rule
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: (Cp$C:\Users\user\Desktop\IXCbn4ZcdS.exe$Bp
                                                        • API String ID: 0-2150984986
                                                        • Opcode ID: d5402164eb9434a28e95c8c1ea25e07c0ddc05a646ca2d3394da0f2c0fd106dd
                                                        • Instruction ID: 2555fa4ba43d1e989dac2e6bdcf754dc964aa3d607d3cd33841bc10e60a70524
                                                        • Opcode Fuzzy Hash: d5402164eb9434a28e95c8c1ea25e07c0ddc05a646ca2d3394da0f2c0fd106dd
                                                        • Instruction Fuzzy Hash: 51F09070B11311DBDF043B34ED1977A3A4FAB81356F40567AF642EAA95DF28480292A8
                                                        Function 006DF79D Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 006DF7B5
                                                          • Part of subcall function 006D6AC5: HeapFree.KERNEL32(00000000,00000000,Bp,006DFA50,?,00000000,?,00000000,Bp,006DFCF4,?,00000007,?,Bp,006E0205,?), ref: 006D6ADB
                                                          • Part of subcall function 006D6AC5: GetLastError.KERNEL32(?), ref: 006D6AED
                                                        • _free.LIBCMT ref: 006DF7C7
                                                        • _free.LIBCMT ref: 006DF7D9
                                                        • _free.LIBCMT ref: 006DF7EB
                                                        • _free.LIBCMT ref: 006DF7FD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID: Bp
                                                        • API String ID: 776569668-1987823655
                                                        • Opcode ID: 0fb8f861aadc044480fcc741e586eabb662f8892dee5a8aac922be6fa18118ed
                                                        • Instruction ID: c58c1fcc7870e5d96d6d58fca981640fc2d67868d9b6329237ca7bc3a05545c2
                                                        • Opcode Fuzzy Hash: 0fb8f861aadc044480fcc741e586eabb662f8892dee5a8aac922be6fa18118ed
                                                        • Instruction Fuzzy Hash: ACF0F432D04204B7C560DB59F8C5D9A73EBAB40720B69881BF446E7701CF34FC804A98
                                                        Function 006C95FC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __allrem.LIBCMT ref: 006C9789
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006C97A5
                                                        • __allrem.LIBCMT ref: 006C97BC
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006C97DA
                                                        • __allrem.LIBCMT ref: 006C97F1
                                                        • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 006C980F
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                        • String ID:
                                                        • API String ID: 1992179935-0
                                                        • Opcode ID: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                                                        • Instruction ID: 39daa756e330ba90725657fc22957e5870716550c3419bedea954d365f0ce225
                                                        • Opcode Fuzzy Hash: 9c67cb4fed110ca44ac0cc586ac5e74db1fc7c48150eab0f41685f45472ef8a2
                                                        • Instruction Fuzzy Hash: 14814772A01B019BE7209E79CC45FBA73AAEF41364F14452EF511D77C1EB70D9018BA4
                                                        Function 006D4B3D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: __cftoe
                                                        • String ID:
                                                        • API String ID: 4189289331-0
                                                        • Opcode ID: 9155894984b314613661133b771d915b09799a4da4916111837b0610532b666d
                                                        • Instruction ID: ec7a1b38bef889b0173f995ef23b4a5db64d8eee6c6a17b2dbcc31bf2ef08a0a
                                                        • Opcode Fuzzy Hash: 9155894984b314613661133b771d915b09799a4da4916111837b0610532b666d
                                                        • Instruction Fuzzy Hash: 4C51D636D05205ABDB649B69CD81FEE77ABEF48320F24421FF815A6382DF31DD018668
                                                        Function 006D6159 Relevance: 9.1, APIs: 3, Strings: 2, Instructions: 389COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: __freea$__alloca_probe_16
                                                        • String ID: a/p$am/pm
                                                        • API String ID: 3509577899-3206640213
                                                        • Opcode ID: 565a6009deb217d9facefd65e25783e0551a1a338a460da50237a98abcbafcf4
                                                        • Instruction ID: a3dd598dc96efe2c34a319a7a208d94c61368e4513432d1713d7ad04cbad1505
                                                        • Opcode Fuzzy Hash: 565a6009deb217d9facefd65e25783e0551a1a338a460da50237a98abcbafcf4
                                                        • Instruction Fuzzy Hash: FAD1CD31D10206CADB288F68D995BFAB7B3EF05310F24415BF902AB759E3759D81CBA1
                                                        Function 00693DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • Sleep.KERNEL32(00000000), ref: 00693E8A
                                                          • Part of subcall function 00693FCD: __EH_prolog.LIBCMT ref: 00693FD2
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: H_prologSleep
                                                        • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>p
                                                        • API String ID: 3469354165-2737597199
                                                        • Opcode ID: 37f5ceefed189fe43f5219848adb853c4ac2dad6ed29e0945e0e287384c8f4e7
                                                        • Instruction ID: 12cc4335fe26269c42e188a29ef5b1e0597f4282e60670a11d5e4ef787d7925e
                                                        • Opcode Fuzzy Hash: 37f5ceefed189fe43f5219848adb853c4ac2dad6ed29e0945e0e287384c8f4e7
                                                        • Instruction Fuzzy Hash: 2641A171A04255DBCF44FB74C816AAD3AAB5F42350F50861DF8068BBD2EF348E09878A
                                                        Function 006A9DEC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,006A9507,00000000,00000000), ref: 006A9DFC
                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,006A9507,00000000,00000000), ref: 006A9E10
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,006A9507,00000000,00000000), ref: 006A9E1D
                                                        • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,006A9507), ref: 006A9E52
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,006A9507,00000000,00000000), ref: 006A9E64
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,006A9507,00000000,00000000), ref: 006A9E67
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                        • String ID:
                                                        • API String ID: 493672254-0
                                                        • Opcode ID: 254a08aee594b3e070d4207e696a7bdf5dad13c25897096b5eb41a5951809884
                                                        • Instruction ID: 4350655a999f2ae256299b2b2716003deae630c6e5f2ad2887cbff757a23cea8
                                                        • Opcode Fuzzy Hash: 254a08aee594b3e070d4207e696a7bdf5dad13c25897096b5eb41a5951809884
                                                        • Instruction Fuzzy Hash: C0012D711482657AD711A7389C4EEBB3B5DEF43370F200249F5229A2D2DA51CE0589B0
                                                        Function 006C7E06 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,?,006C7DFD,006C77B1), ref: 006C7E14
                                                        • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 006C7E22
                                                        • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 006C7E3B
                                                        • SetLastError.KERNEL32(00000000,?,006C7DFD,006C77B1), ref: 006C7E8D
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLastValue___vcrt_
                                                        • String ID:
                                                        • API String ID: 3852720340-0
                                                        • Opcode ID: 3eac97601fe309ebd374b4e834a1b382c82bca64b0de4d8cb123a8f7dd958c28
                                                        • Instruction ID: da61101443b666bd9644841f55476b45ef63e18347de8b126cf266f8753080c8
                                                        • Opcode Fuzzy Hash: 3eac97601fe309ebd374b4e834a1b382c82bca64b0de4d8cb123a8f7dd958c28
                                                        • Instruction Fuzzy Hash: 2D01883321D3259EEB6427B46C85F772A5BEB05775B20036EF534462E1EF114C015988
                                                        Function 006D6EBF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(?,00000000,006D0A45,?,006AAB73,-00705D4C,?,?,?,?,006F5900,0069C07B,.vbs), ref: 006D6EC3
                                                        • _free.LIBCMT ref: 006D6EF6
                                                        • _free.LIBCMT ref: 006D6F1E
                                                        • SetLastError.KERNEL32(00000000,?,006AAB73,-00705D4C,?,?,?,?,006F5900,0069C07B,.vbs), ref: 006D6F2B
                                                        • SetLastError.KERNEL32(00000000,?,006AAB73,-00705D4C,?,?,?,?,006F5900,0069C07B,.vbs), ref: 006D6F37
                                                        • _abort.LIBCMT ref: 006D6F3D
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$_free$_abort
                                                        • String ID:
                                                        • API String ID: 3160817290-0
                                                        • Opcode ID: d3eec4f959d42f451c266c979a60b1232f459cbd8c2e46934782da8b1b0195b7
                                                        • Instruction ID: f679a11718660b744f1fc218a062b7c0e12157666ac7a4125064234e96b2f0fc
                                                        • Opcode Fuzzy Hash: d3eec4f959d42f451c266c979a60b1232f459cbd8c2e46934782da8b1b0195b7
                                                        • Instruction Fuzzy Hash: A1F0F43AD4CB0167C7627324FD4AB9F266B9BC17B0F29011BF515E6392FE248902416A
                                                        Function 006A9C20 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,006A979B,00000000,00000000), ref: 006A9C2F
                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,006A979B,00000000,00000000), ref: 006A9C43
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,006A979B,00000000,00000000), ref: 006A9C50
                                                        • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,006A979B,00000000,00000000), ref: 006A9C5F
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,006A979B,00000000,00000000), ref: 006A9C71
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,006A979B,00000000,00000000), ref: 006A9C74
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                        • String ID:
                                                        • API String ID: 221034970-0
                                                        • Opcode ID: 346e6ad4dba3d8db59454423be009d5ec1a0c655d13901090c2591a365e26e61
                                                        • Instruction ID: f2c47d82c041010a25d224e3fa964438e6417918a38b2e3ff09f428bfdd5cf2e
                                                        • Opcode Fuzzy Hash: 346e6ad4dba3d8db59454423be009d5ec1a0c655d13901090c2591a365e26e61
                                                        • Instruction Fuzzy Hash: 6FF0F6725403647BD711BB649CC9EBF3B6EDB46360F000015F9029B141DB64CE0A8AF0
                                                        Function 006A9D22 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,006A9719,00000000,00000000), ref: 006A9D31
                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,006A9719,00000000,00000000), ref: 006A9D45
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,006A9719,00000000,00000000), ref: 006A9D52
                                                        • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,006A9719,00000000,00000000), ref: 006A9D61
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,006A9719,00000000,00000000), ref: 006A9D73
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,006A9719,00000000,00000000), ref: 006A9D76
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                        • String ID:
                                                        • API String ID: 221034970-0
                                                        • Opcode ID: 1668ac09bba4bc90f5b7639975b3cc949fb516412fdbad75ecb37fe14d5ac388
                                                        • Instruction ID: ae6a4c25cd5440a15d2db692f952738a9224c295820a4ef5235bfe873b6cd4d9
                                                        • Opcode Fuzzy Hash: 1668ac09bba4bc90f5b7639975b3cc949fb516412fdbad75ecb37fe14d5ac388
                                                        • Instruction Fuzzy Hash: 3BF0F6B25003647BD711BB649CC9EBF3B6DDF46360F000019FA069B141DB24CD468AF0
                                                        Function 006A9D87 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,006A9697,00000000,00000000), ref: 006A9D96
                                                        • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,006A9697,00000000,00000000), ref: 006A9DAA
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,006A9697,00000000,00000000), ref: 006A9DB7
                                                        • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,006A9697,00000000,00000000), ref: 006A9DC6
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,006A9697,00000000,00000000), ref: 006A9DD8
                                                        • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,006A9697,00000000,00000000), ref: 006A9DDB
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Service$CloseHandle$Open$ControlManager
                                                        • String ID:
                                                        • API String ID: 221034970-0
                                                        • Opcode ID: 09d4e7c9e03935005148218c0dcb4e33f52f138ec4c02b6b7528839257254c9b
                                                        • Instruction ID: 8adbfcfc62fdb47c361ae02b0ac2d51881f3e02f991b236a886072fa05b9f0e1
                                                        • Opcode Fuzzy Hash: 09d4e7c9e03935005148218c0dcb4e33f52f138ec4c02b6b7528839257254c9b
                                                        • Instruction Fuzzy Hash: 28F0F0B25003687BD711BB64AC89EBF3B6DDF463A0F000019FE059B181DB24CE4A8AB0
                                                        Function 006A29AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 006A2A1D
                                                        • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 006A2A4C
                                                        • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 006A2AED
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Enum$InfoQueryValue
                                                        • String ID: [regsplt]$Dp
                                                        • API String ID: 3554306468-4166111570
                                                        • Opcode ID: bcf19f8b6dc984cea87851f4216e9df86eec491dccb9c6ea17a66325c8ef85ec
                                                        • Instruction ID: 1a8fb92825fd52b0a36d50fd65d174a00cd2826e797d87a254ffddf5a394905c
                                                        • Opcode Fuzzy Hash: bcf19f8b6dc984cea87851f4216e9df86eec491dccb9c6ea17a66325c8ef85ec
                                                        • Instruction Fuzzy Hash: D2514D72108345AFD760EB60DC91DABB3EEEF85300F50092DF686D6151EB30EA09CB66
                                                        Function 0069AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 006C3519: EnterCriticalSection.KERNEL32(00700D18,?,00705D2C,?,0069AE8B,00705D2C,?,00000000,00000000), ref: 006C3524
                                                          • Part of subcall function 006C3519: LeaveCriticalSection.KERNEL32(00700D18,?,0069AE8B,00705D2C,?,00000000,00000000), ref: 006C3561
                                                          • Part of subcall function 006C38A5: __onexit.LIBCMT ref: 006C38AB
                                                        • __Init_thread_footer.LIBCMT ref: 0069AEA7
                                                          • Part of subcall function 006C34CF: EnterCriticalSection.KERNEL32(00700D18,00705D2C,?,0069AEAC,00705D2C,006E6D97,?,00000000,00000000), ref: 006C34D9
                                                          • Part of subcall function 006C34CF: LeaveCriticalSection.KERNEL32(00700D18,?,0069AEAC,00705D2C,006E6D97,?,00000000,00000000), ref: 006C350C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                        • String ID: [End of clipboard]$[Text copied to clipboard]$,]p$0]p
                                                        • API String ID: 2974294136-2270806303
                                                        • Opcode ID: cd6c9109995dc865cdb7aae941a5c6a27459421b34cf9e8aaf6111a50dbc4998
                                                        • Instruction ID: e60bab66b444f6e716bf0b70293cdb895b78871f23bfbccc42054173ffa5a44e
                                                        • Opcode Fuzzy Hash: cd6c9109995dc865cdb7aae941a5c6a27459421b34cf9e8aaf6111a50dbc4998
                                                        • Instruction Fuzzy Hash: B221C331A105198ACF54FBA4D8929FE77BBAF51310F50402EF50267A92EF305E4A8A88
                                                        Function 0069A876 Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 67timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0069A884
                                                        • wsprintfW.USER32 ref: 0069A905
                                                          • Part of subcall function 00699D58: SetEvent.KERNEL32(?,?,00000000,0069A91C,00000000), ref: 00699D84
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: EventLocalTimewsprintf
                                                        • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                                                        • API String ID: 1497725170-248792730
                                                        • Opcode ID: 9d73f0dd700f205a6aebf3814c3ec6a99b41f3ecbf1da778ffb7eb8dbc29b6d3
                                                        • Instruction ID: 9a8a5bbec77c7611fd790e8d3edd3cf06ad81da85600cd67e745f0513408d74d
                                                        • Opcode Fuzzy Hash: 9d73f0dd700f205a6aebf3814c3ec6a99b41f3ecbf1da778ffb7eb8dbc29b6d3
                                                        • Instruction Fuzzy Hash: 76119372504118AACF48FB94EC51CFF77BEEE44311B10011EF50256491EF345B86C6A8
                                                        Function 006ACA1F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegisterClassExA.USER32(00000030), ref: 006ACA6C
                                                        • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 006ACA87
                                                        • GetLastError.KERNEL32 ref: 006ACA91
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ClassCreateErrorLastRegisterWindow
                                                        • String ID: 0$MsgWindowClass
                                                        • API String ID: 2877667751-2410386613
                                                        • Opcode ID: d2451fe57ec01faa3202256699bfc240fbd2d04c113fd7643db40ca0d17bc00a
                                                        • Instruction ID: 9b8b8d5ead98384df176c7657538ba5ad696915c5f8d3a670e35049c64b34770
                                                        • Opcode Fuzzy Hash: d2451fe57ec01faa3202256699bfc240fbd2d04c113fd7643db40ca0d17bc00a
                                                        • Instruction Fuzzy Hash: 4F01D7B1D1431EAACB00DFE9DCC49EFBBBEBE49354F50552AE510B6240E7704A448AA0
                                                        Function 006D7210 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52libraryCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,?,00000000,00000000,Bp,006D71B7,?,00000000,00000000,00000000,Bp,006D74E3,00000006,FlsSetValue), ref: 006D7242
                                                        • GetLastError.KERNEL32(?,00692BE9,?,00692F1C,00000000,Bp,006984A8,?,?,007042E0,?,pth_unenc,?,?,00698309,0069E5AC), ref: 006D724E
                                                        • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00692BE9,?,00692F1C,00000000,Bp,006984A8,?,?,007042E0,?,pth_unenc), ref: 006D725C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LibraryLoad$ErrorLast
                                                        • String ID: Bp
                                                        • API String ID: 3177248105-1987823655
                                                        • Opcode ID: e348c5bae126d77758251f51a96c8b7e8c2fb17fc3d380eeba3e7007c2b77982
                                                        • Instruction ID: 3285a659fadc99a6f4bd5e3d8729443612e357c7ee50166f0c605110469d1f2a
                                                        • Opcode Fuzzy Hash: e348c5bae126d77758251f51a96c8b7e8c2fb17fc3d380eeba3e7007c2b77982
                                                        • Instruction Fuzzy Hash: DD01FC32E1D3F6ABC7214E79AC44E96779AAF05BA17600221F906D7340E721DF01CAD1
                                                        Function 006969BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00696A00
                                                        • CloseHandle.KERNEL32(?), ref: 00696A0F
                                                        • CloseHandle.KERNEL32(?), ref: 00696A14
                                                        Strings
                                                        • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 006969F6
                                                        • C:\Windows\System32\cmd.exe, xrefs: 006969FB
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseHandle$CreateProcess
                                                        • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                        • API String ID: 2922976086-4183131282
                                                        • Opcode ID: 7e5e5dd15395f1164099e6c409798c4345df891d7303b34dfcbbc2a72d472b2a
                                                        • Instruction ID: 41448819fddd28262434da4c85b88c2751e7c0dd9ee1cfe1d70af00b232c47c2
                                                        • Opcode Fuzzy Hash: 7e5e5dd15395f1164099e6c409798c4345df891d7303b34dfcbbc2a72d472b2a
                                                        • Instruction Fuzzy Hash: DDF01D769002ACBACB20ABD69C49FDF7F7DEBC1B10F000419B705A6054D6706544CAB8
                                                        Function 006D25D9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,006D258A,00000003,?,006D252A,00000003,006FDAE0,0000000C,006D2681,00000003,00000002), ref: 006D25F9
                                                        • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 006D260C
                                                        • FreeLibrary.KERNEL32(00000000,?,?,?,006D258A,00000003,?,006D252A,00000003,006FDAE0,0000000C,006D2681,00000003,00000002,00000000), ref: 006D262F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressFreeHandleLibraryModuleProc
                                                        • String ID: CorExitProcess$mscoree.dll
                                                        • API String ID: 4061214504-1276376045
                                                        • Opcode ID: a91576d4e21567b4cec8b0fe7cc96c98e5c0480fee6f39a0a50437bfdef07bda
                                                        • Instruction ID: d33e6bb52a0d21bb7fd41cb29535b83ba969c6f7abce8f3ffb4d7fd1c01a1791
                                                        • Opcode Fuzzy Hash: a91576d4e21567b4cec8b0fe7cc96c98e5c0480fee6f39a0a50437bfdef07bda
                                                        • Instruction Fuzzy Hash: AFF08130904359EBCB259F61DC49BADBBB6FF08711F104059F805A6250DF309E40CA94
                                                        Function 006A2774 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegCreateKeyW.ADVAPI32(80000001,00000000,Bp), ref: 006A277F
                                                        • RegSetValueExW.ADVAPI32(Bp,?,00000000,00000001,00000000,00000000,007042F8,?,0069E5CB,pth_unenc,007042E0), ref: 006A27AD
                                                        • RegCloseKey.ADVAPI32(?,?,0069E5CB,pth_unenc,007042E0), ref: 006A27B8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseCreateValue
                                                        • String ID: pth_unenc$Bp
                                                        • API String ID: 1818849710-1034402601
                                                        • Opcode ID: 087ee6949d17997185d1c7afe837874a4dcd47985f6f65fc1da2918f83254b5d
                                                        • Instruction ID: 502ea3e5ee35eb5b411cae24d3e121dd6094ebf10b3c4a70c9f03b60be29c8a7
                                                        • Opcode Fuzzy Hash: 087ee6949d17997185d1c7afe837874a4dcd47985f6f65fc1da2918f83254b5d
                                                        • Instruction Fuzzy Hash: 35F06D71544219BBDF50AFA0ED96EEE376EAB41B50F104514F9029A150EA319F04DAA0
                                                        Function 00694AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00694AED
                                                        • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0069483F,00000001), ref: 00694AF9
                                                        • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,0069483F,00000001), ref: 00694B04
                                                        • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,0069483F,00000001), ref: 00694B0D
                                                          • Part of subcall function 006AA686: GetLocalTime.KERNEL32(00000000), ref: 006AA6A0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                        • String ID: KeepAlive | Disabled
                                                        • API String ID: 2993684571-305739064
                                                        • Opcode ID: 6a3ef8897822e705a8be242c3258f6e4894a419ca930fb7c3502d1bc769ae3d4
                                                        • Instruction ID: d47b3c55d035d6552539460f76e8bcabe7a14dfd43fc0abb1fda58677edd6bc5
                                                        • Opcode Fuzzy Hash: 6a3ef8897822e705a8be242c3258f6e4894a419ca930fb7c3502d1bc769ae3d4
                                                        • Instruction Fuzzy Hash: A7F0B4719087486FDF1137748D0EABA7F9FAB07320F00190DFA9286AB1DA208D51CB56
                                                        Function 006A9F32 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 006AA686: GetLocalTime.KERNEL32(00000000), ref: 006AA6A0
                                                        • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 006A9F64
                                                        • PlaySoundW.WINMM(00000000,00000000), ref: 006A9F72
                                                        • Sleep.KERNEL32(00002710), ref: 006A9F79
                                                        • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 006A9F82
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: PlaySound$HandleLocalModuleSleepTime
                                                        • String ID: Alarm triggered
                                                        • API String ID: 614609389-2816303416
                                                        • Opcode ID: 3a13f0b814d5c0b6000daad6cfe42df53e4f287f297fc5eb2de63e89fd442146
                                                        • Instruction ID: 4598b68d09f6f2f93ae09a31cfae489c7ace38410afdfe22d96e8250da19be92
                                                        • Opcode Fuzzy Hash: 3a13f0b814d5c0b6000daad6cfe42df53e4f287f297fc5eb2de63e89fd442146
                                                        • Instruction Fuzzy Hash: B8E09222E14259774A1033AA6C4FC2F3D2FDAC3B70741005EFA045A1919E400A0186F3
                                                        Function 006ABE6F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,006ABF02), ref: 006ABE79
                                                        • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,006ABF02), ref: 006ABE86
                                                        • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,006ABF02), ref: 006ABE93
                                                        • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,006ABF02), ref: 006ABEA6
                                                        Strings
                                                        • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 006ABE99
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                        • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                        • API String ID: 3024135584-2418719853
                                                        • Opcode ID: 9e03d0428fb85d44adf6414ac2216f953927893ca6a6f2cce0fecc97ad9b65a2
                                                        • Instruction ID: 6bcf8d084aad97466e8e17d25581b4b6cb7ca4d6231fe36f6a938d0f1c9dde3a
                                                        • Opcode Fuzzy Hash: 9e03d0428fb85d44adf6414ac2216f953927893ca6a6f2cce0fecc97ad9b65a2
                                                        • Instruction Fuzzy Hash: 8AE04F72104388ABD71037F5BC8ECEB3B7DE784A12B042615F612942929A7044448671
                                                        Function 006AA63F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 006AA650
                                                        • LoadResource.KERNEL32(00000000,?,?,0069E183,00000000), ref: 006AA664
                                                        • LockResource.KERNEL32(00000000,?,?,0069E183,00000000), ref: 006AA66B
                                                        • SizeofResource.KERNEL32(00000000,?,?,0069E183,00000000), ref: 006AA67A
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Resource$FindLoadLockSizeof
                                                        • String ID: SETTINGS
                                                        • API String ID: 3473537107-594951305
                                                        • Opcode ID: ff7355fa58501ac73e1188466e53bec7231412adeb409a64315ee6d6d24f7f00
                                                        • Instruction ID: c52c4921dcb2995eafa48e2f29f7d80492f295e870da76f377343b8b1c531178
                                                        • Opcode Fuzzy Hash: ff7355fa58501ac73e1188466e53bec7231412adeb409a64315ee6d6d24f7f00
                                                        • Instruction Fuzzy Hash: D8E01A3A210350EBCB211BA1FC8CD977E3AE78A7623095126FA0186220DA358800DB20
                                                        Function 006D016A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 6735c2d31309dc1ebd196e8660bed2f5678ec53f4bf1a31f2a0c1d71dbadc690
                                                        • Instruction ID: 141d311ad7223b20a54511b4af92d1e0c6d3c7b83637fa59bd0e954b03c3f288
                                                        • Opcode Fuzzy Hash: 6735c2d31309dc1ebd196e8660bed2f5678ec53f4bf1a31f2a0c1d71dbadc690
                                                        • Instruction Fuzzy Hash: 90719031D016579BEB218B98C884BFEBB77EF55360F29422BE815A7381DB709D41C7A0
                                                        Function 006A0B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 006A05B9: SetLastError.KERNEL32(0000000D,006A0B38,?,00000000), ref: 006A05BF
                                                        • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,006A0B15), ref: 006A0BC4
                                                        • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 006A0C2A
                                                        • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 006A0C31
                                                        • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 006A0D3F
                                                        • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,006A0B15), ref: 006A0D69
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                        • String ID:
                                                        • API String ID: 3525466593-0
                                                        • Opcode ID: 4177e48718b5dcc0811982fac90e7033ce4eded255fa7dd3f915b746b75e397c
                                                        • Instruction ID: 05cdabdd08f509f2b007292e2252e918c476ce8e2c62ba4c5ecdf17e9dcfe0f9
                                                        • Opcode Fuzzy Hash: 4177e48718b5dcc0811982fac90e7033ce4eded255fa7dd3f915b746b75e397c
                                                        • Instruction Fuzzy Hash: 6361EF71600301ABEB60BF65CA81B667BA7FF86710F044119F9058B386EBB4EC51CFA5
                                                        Function 006D800F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,006ED478), ref: 006D8079
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,0070179C,000000FF,00000000,0000003F,00000000,?,?), ref: 006D80F1
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,007017F0,000000FF,?,0000003F,00000000,?), ref: 006D811E
                                                        • _free.LIBCMT ref: 006D8067
                                                          • Part of subcall function 006D6AC5: HeapFree.KERNEL32(00000000,00000000,Bp,006DFA50,?,00000000,?,00000000,Bp,006DFCF4,?,00000007,?,Bp,006E0205,?), ref: 006D6ADB
                                                          • Part of subcall function 006D6AC5: GetLastError.KERNEL32(?), ref: 006D6AED
                                                        • _free.LIBCMT ref: 006D8233
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                        • String ID:
                                                        • API String ID: 1286116820-0
                                                        • Opcode ID: 8aa601ef0898c5289e6bcd0f966ed409a2c7d4c3b124fd5f64b2e256054891e1
                                                        • Instruction ID: dbaf08b064817d7c055c8d0670db75a94560ffee82b8922c72db73ad4b4a275c
                                                        • Opcode Fuzzy Hash: 8aa601ef0898c5289e6bcd0f966ed409a2c7d4c3b124fd5f64b2e256054891e1
                                                        • Instruction Fuzzy Hash: 5651C171D00209EFCB10EF699C859AEB7BAEB40360F54426FE454A7391EF349E468B94
                                                        Function 00415000 Relevance: 7.6, APIs: 6, Instructions: 138sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • SetLastError.KERNEL32 ref: 00415021
                                                          • Part of subcall function 00414F30: FindFirstFileA.KERNEL32(?,?,?,?), ref: 00414F47
                                                          • Part of subcall function 00414F30: FindClose.KERNEL32(00000000), ref: 00414F81
                                                        • SetLastError.KERNEL32(00000002,?,?,?,00000001), ref: 0041504B
                                                        • SetLastError.KERNEL32(00000005), ref: 0041508C
                                                        • Sleep.KERNEL32(00000001), ref: 00415124
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3852697446.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000005.00000002.3852676846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3852803469.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3853277306.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3853306344.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3853306344.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3853306344.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ErrorLast$Find$CloseFileFirstSleep
                                                        • String ID:
                                                        • API String ID: 1934500226-0
                                                        • Opcode ID: e6b62eaeb095e084dcdde112aad474c2f1df312f47c2989c3ca51f5dca466904
                                                        • Instruction ID: 2fca2705454d7dd58154ba04993cc9775b04a32fe64a4f43b8d4991ee8eab8d9
                                                        • Opcode Fuzzy Hash: e6b62eaeb095e084dcdde112aad474c2f1df312f47c2989c3ca51f5dca466904
                                                        • Instruction Fuzzy Hash: EA41E771604304BFD314AF959C45BABB7D8EBC9709F00052EFE4992281E7F999448AAB
                                                        Function 0069E6A3 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 006AB15B: GetCurrentProcess.KERNEL32(?,?,?,0069C914,WinDir,00000000,00000000), ref: 006AB16C
                                                        • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0069E6C1
                                                        • Process32FirstW.KERNEL32(00000000,?), ref: 0069E6E5
                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0069E6F4
                                                        • CloseHandle.KERNEL32(00000000), ref: 0069E8AB
                                                          • Part of subcall function 006AB187: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0069E4D0,00000000,?,?,00704358), ref: 006AB19C
                                                          • Part of subcall function 006AB37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 006AB395
                                                          • Part of subcall function 006AB37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 006AB3A8
                                                        • Process32NextW.KERNEL32(00000000,0000022C), ref: 0069E89C
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$OpenProcess32$Next$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                        • String ID:
                                                        • API String ID: 4269425633-0
                                                        • Opcode ID: 47b274d1862029077da353b55a624eac1249b09bbc1969606dc6a2532b0bda4e
                                                        • Instruction ID: 48c448d2c66c866aa75fac9afd0a6771a5e0cff89962f376390102b5a2654641
                                                        • Opcode Fuzzy Hash: 47b274d1862029077da353b55a624eac1249b09bbc1969606dc6a2532b0bda4e
                                                        • Instruction Fuzzy Hash: 744114311082419BC7A5FB60DCA2AFF77AEAFE5300F50451DF48A8A591EF309A49C75A
                                                        Function 006D3098 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free
                                                        • String ID:
                                                        • API String ID: 269201875-0
                                                        • Opcode ID: a8956317177a2d0353de41cd5513d9c359555d0699c555acee93da500292747f
                                                        • Instruction ID: 05385ab684798375c125b2519321837a7235df800757188d4269b712f7d8edb8
                                                        • Opcode Fuzzy Hash: a8956317177a2d0353de41cd5513d9c359555d0699c555acee93da500292747f
                                                        • Instruction Fuzzy Hash: 1F41D436E002149FDB24DF78CC81A9DB3A6EF84714F15856EE915EB341DA31AE01CB81
                                                        Function 006DFED3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,006CE3ED,?,00000000,?,00000001,?,?,00000001,006CE3ED,?), ref: 006DFF20
                                                        • __alloca_probe_16.LIBCMT ref: 006DFF58
                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006DFFA9
                                                        • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,006C99BF,?), ref: 006DFFBB
                                                        • __freea.LIBCMT ref: 006DFFC4
                                                          • Part of subcall function 006D6AFF: HeapAlloc.KERNEL32(00000000,?,00000000,Bp,006C3627,?,?,00692BE9,?,00692F1C,00000000,Bp,006984A8,?,?,007042E0), ref: 006D6B31
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$AllocHeapStringType__alloca_probe_16__freea
                                                        • String ID:
                                                        • API String ID: 1857427562-0
                                                        • Opcode ID: 962b4ecc81ed884fc8eb2773437957c821b42cc3279a6a4d22c1344a864fc283
                                                        • Instruction ID: a28abc12e39d8c71d4d97ba68d99b105ac6fea10a132c689f3d976ce4a960716
                                                        • Opcode Fuzzy Hash: 962b4ecc81ed884fc8eb2773437957c821b42cc3279a6a4d22c1344a864fc283
                                                        • Instruction Fuzzy Hash: A331CD72A0021AABDB249F65DC85EEE7BA6EB01310B05416AFC06DA350EB35DD51CBA0
                                                        Function 006DE13B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetEnvironmentStringsW.KERNEL32 ref: 006DE144
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 006DE167
                                                          • Part of subcall function 006D6AFF: HeapAlloc.KERNEL32(00000000,?,00000000,Bp,006C3627,?,?,00692BE9,?,00692F1C,00000000,Bp,006984A8,?,?,007042E0), ref: 006D6B31
                                                        • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 006DE18D
                                                        • _free.LIBCMT ref: 006DE1A0
                                                        • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 006DE1AF
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharEnvironmentMultiStringsWide$AllocFreeHeap_free
                                                        • String ID:
                                                        • API String ID: 2278895681-0
                                                        • Opcode ID: a2afade20bfafbd5d0f83d0a7aa5de195a338c84db1c8ab8e8d610711bf31e9f
                                                        • Instruction ID: aea7e364bb0bcf36b71fddaaec01c2c2d492b924480b27383836c122112d4f90
                                                        • Opcode Fuzzy Hash: a2afade20bfafbd5d0f83d0a7aa5de195a338c84db1c8ab8e8d610711bf31e9f
                                                        • Instruction Fuzzy Hash: 8701B572F013517F63216A765C8CCBB6A6FDEC2BA1318012AFD04CE300DA728C0291B0
                                                        Function 006D6F43 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLastError.KERNEL32(00000000,?,?,006D5359,006D6B42,00000000,Bp,006C3627,?,?,00692BE9,?,00692F1C,00000000,Bp,006984A8), ref: 006D6F48
                                                        • _free.LIBCMT ref: 006D6F7D
                                                        • _free.LIBCMT ref: 006D6FA4
                                                        • SetLastError.KERNEL32(00000000), ref: 006D6FB1
                                                        • SetLastError.KERNEL32(00000000), ref: 006D6FBA
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorLast$_free
                                                        • String ID:
                                                        • API String ID: 3170660625-0
                                                        • Opcode ID: e2d852bc91ffd842f71f387e78cc72c15c7493cef0929a6436c4ff12b57c1de7
                                                        • Instruction ID: 0ef96615018bfaf6e8340c959d0aee31b812887a9a8ea5f4c2adcf7585a1b4bb
                                                        • Opcode Fuzzy Hash: e2d852bc91ffd842f71f387e78cc72c15c7493cef0929a6436c4ff12b57c1de7
                                                        • Instruction Fuzzy Hash: 2B01F47AE0CB006BC7126774FC85E6F266BDBD1370B29012FF915A2392EE648D064569
                                                        Function 006D32E7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 006D3305
                                                          • Part of subcall function 006D6AC5: HeapFree.KERNEL32(00000000,00000000,Bp,006DFA50,?,00000000,?,00000000,Bp,006DFCF4,?,00000007,?,Bp,006E0205,?), ref: 006D6ADB
                                                          • Part of subcall function 006D6AC5: GetLastError.KERNEL32(?), ref: 006D6AED
                                                        • _free.LIBCMT ref: 006D3317
                                                        • _free.LIBCMT ref: 006D332A
                                                        • _free.LIBCMT ref: 006D333B
                                                        • _free.LIBCMT ref: 006D334C
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$ErrorFreeHeapLast
                                                        • String ID:
                                                        • API String ID: 776569668-0
                                                        • Opcode ID: dfcce81c827ca151b6a688998bb2ed1bbcdd47d80fd4c699cea91e7ec2a67565
                                                        • Instruction ID: b329f4997dce614f0bff9638f2d1ec3dba2d2ed70693625aedb8a1046661cee7
                                                        • Opcode Fuzzy Hash: dfcce81c827ca151b6a688998bb2ed1bbcdd47d80fd4c699cea91e7ec2a67565
                                                        • Instruction Fuzzy Hash: A3F03AB4E16120DBCB41AF14ED015883B62B74976078AD30BF48262B72EF3C1925DBCD
                                                        Function 006A6751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetWindowThreadProcessId.USER32(?,?), ref: 006A6768
                                                        • GetWindowTextW.USER32(?,?,0000012C), ref: 006A679A
                                                        • IsWindowVisible.USER32(?), ref: 006A67A1
                                                          • Part of subcall function 006AB37D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 006AB395
                                                          • Part of subcall function 006AB37D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 006AB3A8
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ProcessWindow$Open$TextThreadVisible
                                                        • String ID: (Fp
                                                        • API String ID: 3142014140-1060722677
                                                        • Opcode ID: e8601cec6059aaac312de9ac6f7774e78cbfaa160f91066c6ee181269a06bce0
                                                        • Instruction ID: 1c920a1934aa8e77fb3c693770a688999278b0d7b97456ef9f869bc8a01eb9f3
                                                        • Opcode Fuzzy Hash: e8601cec6059aaac312de9ac6f7774e78cbfaa160f91066c6ee181269a06bce0
                                                        • Instruction Fuzzy Hash: B571C9321082415BC7B5FB60D8A1EEFB3EAAFE5300F50451DF48A564A1EF306B49CB5A
                                                        Function 006DD459 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _strpbrk.LIBCMT ref: 006DD4A8
                                                        • _free.LIBCMT ref: 006DD5C5
                                                          • Part of subcall function 006CA854: IsProcessorFeaturePresent.KERNEL32(00000017,006CA826,?,?,?,?,?,00000000,00000000,?,006CA846,00000000,00000000,00000000,00000000,00000000), ref: 006CA856
                                                          • Part of subcall function 006CA854: GetCurrentProcess.KERNEL32(C0000417), ref: 006CA878
                                                          • Part of subcall function 006CA854: TerminateProcess.KERNEL32(00000000), ref: 006CA87F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                        • String ID: *?$.
                                                        • API String ID: 2812119850-3972193922
                                                        • Opcode ID: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                                                        • Instruction ID: 60e59f0ac4e04e1e26040fa7f8d2774d3cf1a08063893cfa7de57b83926854d5
                                                        • Opcode Fuzzy Hash: dbad545dedeb202f26215854c3da024dc0fb99b6c0e3b260b863dc96475f25f4
                                                        • Instruction Fuzzy Hash: E051B171E00209AFDF14DFA9C881AEDB7F6EF58314F24816EE454E7341E635AE058B90
                                                        Function 006995D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyboardLayoutNameA.USER32(?), ref: 00699601
                                                          • Part of subcall function 006941F1: socket.WS2_32(?,00000001,00000006), ref: 00694212
                                                          • Part of subcall function 0069428C: connect.WS2_32(?,?,?), ref: 006942A5
                                                          • Part of subcall function 006AB6AA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00699689,00703EE8,?,00703EE8,00000000,00703EE8,00000000), ref: 006AB6BF
                                                          • Part of subcall function 00694468: send.WS2_32(?,00000000,00000000,00000000), ref: 006944FD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                        • String ID: XCp$`Ap$>p
                                                        • API String ID: 2334542088-1497820123
                                                        • Opcode ID: ca2c8daf657e0a421049811b1f56673def72db38cdc40711133ef39a2eaf3d64
                                                        • Instruction ID: 088b3c394e314b76d5772f29ed7041de4205a1f46605e1985ef2ce7d3c4ccabd
                                                        • Opcode Fuzzy Hash: ca2c8daf657e0a421049811b1f56673def72db38cdc40711133ef39a2eaf3d64
                                                        • Instruction Fuzzy Hash: 695147321042419BCBA4F774D8A1EFF73DAAFE5300F50492DF44B5B592EE305A49C659
                                                        Function 006D26D4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\IXCbn4ZcdS.exe,00000104), ref: 006D2714
                                                        • _free.LIBCMT ref: 006D27DF
                                                        • _free.LIBCMT ref: 006D27E9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: _free$FileModuleName
                                                        • String ID: C:\Users\user\Desktop\IXCbn4ZcdS.exe
                                                        • API String ID: 2506810119-2344749142
                                                        • Opcode ID: f06bbab7877f2ab852709701138f0a58b0070fe160bcb0858d0a75ff6da0f175
                                                        • Instruction ID: 8e9346ae11fa2d77088fed990e2fbfd4c5eed24baa54eab03c84e62dcc9c8dcb
                                                        • Opcode Fuzzy Hash: f06bbab7877f2ab852709701138f0a58b0070fe160bcb0858d0a75ff6da0f175
                                                        • Instruction Fuzzy Hash: FD319EB1E00249EFCB21DB99DC819EEBBFEEB94710F14816BF80497311DA708A41DB94
                                                        Function 00693A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00693A2A
                                                          • Part of subcall function 006AAB38: GetCurrentProcessId.KERNEL32(00000000,76F93530,00000000,?,?,?,?,006F5900,0069C07B,.vbs,?,?,?,?,?,007042F8), ref: 006AAB5F
                                                          • Part of subcall function 006A76B6: CloseHandle.KERNEL32(00693AB9,?,?,00693AB9,006F5324), ref: 006A76CC
                                                          • Part of subcall function 006A76B6: CloseHandle.KERNEL32($So,?,?,00693AB9,006F5324), ref: 006A76D5
                                                          • Part of subcall function 006AB61A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00699F65), ref: 006AB633
                                                        • Sleep.KERNEL32(000000FA,006F5324), ref: 00693AFC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                        • String ID: /sort "Visit Time" /stext "$8>p
                                                        • API String ID: 368326130-645503349
                                                        • Opcode ID: 228745a5c4c4bf76ff2b22b39bcec4df896cadf12b070e6befe6b98fa84a833c
                                                        • Instruction ID: 6ace30ae1c906b046c46b55b59fb9e316f560c079023e65905014033367b4d43
                                                        • Opcode Fuzzy Hash: 228745a5c4c4bf76ff2b22b39bcec4df896cadf12b070e6befe6b98fa84a833c
                                                        • Instruction Fuzzy Hash: 1331A131A002199ACF58F7B4DC969FD777FAF91310F10016DF506AB982EF201A4ACA98
                                                        Function 0069A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0069A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0069A884
                                                          • Part of subcall function 0069A876: wsprintfW.USER32 ref: 0069A905
                                                          • Part of subcall function 006AA686: GetLocalTime.KERNEL32(00000000), ref: 006AA6A0
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0069A691
                                                        • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0069A69D
                                                        • CreateThread.KERNEL32(00000000,00000000,006999C1,?,00000000,00000000), ref: 0069A6A9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CreateThread$LocalTime$wsprintf
                                                        • String ID: Online Keylogger Started
                                                        • API String ID: 112202259-1258561607
                                                        • Opcode ID: 2d322f576deb4660893867de99fcfb016caac04e25143d4acecdf2f641009185
                                                        • Instruction ID: bd631578041f93b280b7bbc5eeb879106dfaac5b642474f7625689498061487d
                                                        • Opcode Fuzzy Hash: 2d322f576deb4660893867de99fcfb016caac04e25143d4acecdf2f641009185
                                                        • Instruction Fuzzy Hash: 5B01D6A170060D3EEE2077788CCBCBF7EAFCA823A8F45042CF5421A942DA505D4586F6
                                                        Function 006DAA73 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • CloseHandle.KERNEL32(00000000,00000000,`i,?,006DA991,`i,006FDD28,0000000C), ref: 006DAAC9
                                                        • GetLastError.KERNEL32(?,006DA991,`i,006FDD28,0000000C), ref: 006DAAD3
                                                        • __dosmaperr.LIBCMT ref: 006DAAFE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseErrorHandleLast__dosmaperr
                                                        • String ID: `i
                                                        • API String ID: 2583163307-2047566106
                                                        • Opcode ID: e942f78ec934ed8597e1f29bb5bc1490520312db2bbd91455178b9e18d3129b5
                                                        • Instruction ID: 52c8227fac55710bda0c17a5641aec7223026ba8690b22932fbd1677be803f97
                                                        • Opcode Fuzzy Hash: e942f78ec934ed8597e1f29bb5bc1490520312db2bbd91455178b9e18d3129b5
                                                        • Instruction Fuzzy Hash: F8010836E182505AD62413F46985BAD774B8B82734F2D032FF9168B3D1DE608D81C196
                                                        Function 00694B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00694B26), ref: 00694B40
                                                        • CloseHandle.KERNEL32(?,?,?,?,00694B26), ref: 00694B98
                                                        • SetEvent.KERNEL32(?,?,?,?,00694B26), ref: 00694BA7
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseEventHandleObjectSingleWait
                                                        • String ID: Connection Timeout
                                                        • API String ID: 2055531096-499159329
                                                        • Opcode ID: c83ef635b5291e49f352491d10e382f913615e1aaf6ee9e9077751df3e06d204
                                                        • Instruction ID: a69138020442fa42f549d668dd81a09ef9ca1fec58ec2d3cc5f80e67257eb5cb
                                                        • Opcode Fuzzy Hash: c83ef635b5291e49f352491d10e382f913615e1aaf6ee9e9077751df3e06d204
                                                        • Instruction Fuzzy Hash: C5012831A00F459FDB26BB398C8686ABFDBEF06310340051DE2934AF20CE20D801CB56
                                                        Function 0069CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • std::_Lockit::_Lockit.LIBCPMT ref: 0069CDC9
                                                        • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0069CE08
                                                          • Part of subcall function 006C47BD: _Yarn.LIBCPMT ref: 006C47DC
                                                          • Part of subcall function 006C47BD: _Yarn.LIBCPMT ref: 006C4800
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 0069CE2C
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                        • String ID: bad locale name
                                                        • API String ID: 3628047217-1405518554
                                                        • Opcode ID: 2d65cd61092f8a29c648d45474c364d4ed84f858ddab8259ce4adf68412be46d
                                                        • Instruction ID: 4a7fa55aa43c9c4722691d62d3e042421531583e74302e2097609e42cca37fb0
                                                        • Opcode Fuzzy Hash: 2d65cd61092f8a29c648d45474c364d4ed84f858ddab8259ce4adf68412be46d
                                                        • Instruction Fuzzy Hash: FFF04431400608DACBA4FB60D857EDA77AE9F14750B90452CF507518D2EF21AA08C698
                                                        Function 006A51B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 006A51F4
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExecuteShell
                                                        • String ID: /C $cmd.exe$open
                                                        • API String ID: 587946157-3896048727
                                                        • Opcode ID: 181467edc64e7051c997d04a813b33b4cfde4b656ad995f510ea9fb3e130d37c
                                                        • Instruction ID: 81c6fce6f0e8efee5a69bfe1715cf6bc1f58ba9d0d3dff5be8d3eab4530af33b
                                                        • Opcode Fuzzy Hash: 181467edc64e7051c997d04a813b33b4cfde4b656ad995f510ea9fb3e130d37c
                                                        • Instruction Fuzzy Hash: 60E0E5B01043056E9B84F760DC95C7F77AF9E91740F10182CB54356595DF749D05C619
                                                        Function 0069AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • TerminateThread.KERNEL32(006999A9,00000000,007042F8,pth_unenc,0069BF26,007042E0,007042F8,?,pth_unenc), ref: 0069AFC9
                                                        • UnhookWindowsHookEx.USER32(007040F8), ref: 0069AFD5
                                                        • TerminateThread.KERNEL32(00699993,00000000,?,pth_unenc), ref: 0069AFE3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: TerminateThread$HookUnhookWindows
                                                        • String ID: pth_unenc
                                                        • API String ID: 3123878439-4028850238
                                                        • Opcode ID: 52365324640d01d346a63e7ddaf7f5754d400127f330330e362faaa83ebebbca
                                                        • Instruction ID: a302774579647d5b6438499d18c70ed9c38a4581ce6e01aadf6fce083cd5e7ea
                                                        • Opcode Fuzzy Hash: 52365324640d01d346a63e7ddaf7f5754d400127f330330e362faaa83ebebbca
                                                        • Instruction Fuzzy Hash: 44E01271209356EFDB201F94ACC8869BBEFEA54396324143DF7C286554C6714C44CBA1
                                                        Function 00691430 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 0069143A
                                                        • GetProcAddress.KERNEL32(00000000), ref: 00691441
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressHandleModuleProc
                                                        • String ID: GetCursorInfo$User32.dll
                                                        • API String ID: 1646373207-2714051624
                                                        • Opcode ID: 7799d1d8a8fcf0ebe7e9b6545ff7a62efe9f11c00f54312656c7cfbc91c71ff7
                                                        • Instruction ID: be843aead2ba173177fef627a3e210733a10b5486fc764290c878dad30d01985
                                                        • Opcode Fuzzy Hash: 7799d1d8a8fcf0ebe7e9b6545ff7a62efe9f11c00f54312656c7cfbc91c71ff7
                                                        • Instruction Fuzzy Hash: 70B092B59493899FC7305BA0ED4D8193A26EA447023013141F342892A8CBB592209A24
                                                        Function 006914D5 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 006914DF
                                                        • GetProcAddress.KERNEL32(00000000), ref: 006914E6
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressLibraryLoadProc
                                                        • String ID: GetLastInputInfo$User32.dll
                                                        • API String ID: 2574300362-1519888992
                                                        • Opcode ID: c4d3aef405e2c5bab83c39138287e9295ed70f829cc10d4ef3ad1b9d943cf6a8
                                                        • Instruction ID: 28100b0a433f5261dc97b1fdcb3aef0907a4373d6c0daf47b133b1ddfb047670
                                                        • Opcode Fuzzy Hash: c4d3aef405e2c5bab83c39138287e9295ed70f829cc10d4ef3ad1b9d943cf6a8
                                                        • Instruction Fuzzy Hash: D9B092F45843C89BCB201BA0FC4D8293AA6FA08742301B808F302891A8CF7442009F20
                                                        Function 006D8D0B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: __alldvrm$_strrchr
                                                        • String ID:
                                                        • API String ID: 1036877536-0
                                                        • Opcode ID: 356596f341ec539a94dfe36e390bc51e19313ec426e60b5603d27ca0cdfe98ae
                                                        • Instruction ID: e224b41076c31245d5600218ec5f4829389abe2d1adfb0438c8f8004d47178b7
                                                        • Opcode Fuzzy Hash: 356596f341ec539a94dfe36e390bc51e19313ec426e60b5603d27ca0cdfe98ae
                                                        • Instruction Fuzzy Hash: E1A14772D043869FDB21CF18C8857AEBBE7EF65390F1441AFE5859B381DA388941CB50
                                                        Function 0042C814 Relevance: 6.1, APIs: 4, Instructions: 145fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • WriteFile.KERNEL32(?,?,?,?,00000000,?,?,00000001), ref: 0042C8FC
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3852697446.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000005.00000002.3852676846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3852803469.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3853277306.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3853306344.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3853306344.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3853306344.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: FileWrite
                                                        • String ID:
                                                        • API String ID: 3934441357-0
                                                        • Opcode ID: 72ef37e3f52f69ed0ec66c4e8790f2510e5f96e623d6d1493fedeb9f51a5ca00
                                                        • Instruction ID: 8280d1e270eca7936ff5276bf182434933e20333d3727ff594148b0d188492fc
                                                        • Opcode Fuzzy Hash: 72ef37e3f52f69ed0ec66c4e8790f2510e5f96e623d6d1493fedeb9f51a5ca00
                                                        • Instruction Fuzzy Hash: 48517FB1A04268DFDB22DFA9EC80BEDBBB8FF46304F50411AE8559B252DB345A41CF15
                                                        Function 006D1A81 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: 74eb5864537acb643c1f49a0ba7d1b43d7a02394567a632ece4eda0f1dd83684
                                                        • Instruction ID: e214635cb253b631cd16d8d2822dc16750254d8ece44b64a87fb593a28b37b1f
                                                        • Opcode Fuzzy Hash: 74eb5864537acb643c1f49a0ba7d1b43d7a02394567a632ece4eda0f1dd83684
                                                        • Instruction Fuzzy Hash: 5641F572E01744BFE7259F78C841BAABBEAEB85710F14452FF111DF381E6B199018784
                                                        Function 0069B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        • [Cleared browsers logins and cookies.], xrefs: 0069B8DE
                                                        • Cleared browsers logins and cookies., xrefs: 0069B8EF
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Sleep
                                                        • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                        • API String ID: 3472027048-1236744412
                                                        • Opcode ID: 8cb6aec902e224f3a9484540c380da83706bec8aade4420bd2a8be4208d7f853
                                                        • Instruction ID: 4c8747039472d064a3b2255e1b4dfe48c1d5422b2bedd8ef2ec020f5d084ba44
                                                        • Opcode Fuzzy Hash: 8cb6aec902e224f3a9484540c380da83706bec8aade4420bd2a8be4208d7f853
                                                        • Instruction Fuzzy Hash: 7F31C10024C384AACE116BB83B267EA7F8F0A97750F59A15CF8C40BB83DB4248088367
                                                        Function 006A1524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 006A265D: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,007042F8), ref: 006A2679
                                                          • Part of subcall function 006A265D: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 006A2692
                                                          • Part of subcall function 006A265D: RegCloseKey.KERNELBASE(00000000), ref: 006A269D
                                                        • Sleep.KERNEL32(00000BB8), ref: 006A15C3
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseOpenQuerySleepValue
                                                        • String ID: @Cp$exepath$Bp
                                                        • API String ID: 4119054056-1357163166
                                                        • Opcode ID: 1d9eefdef85da2858d909c28dcd32545fc400b7c27bf018e8b806ec991810ccb
                                                        • Instruction ID: 729a2da54cca9981f6783966be3c03b31a47476db3eabb94d623b5e1a5481004
                                                        • Opcode Fuzzy Hash: 1d9eefdef85da2858d909c28dcd32545fc400b7c27bf018e8b806ec991810ccb
                                                        • Instruction Fuzzy Hash: 2421D091F003052BDA94B7786C16A7F768F8BC3300F54067DBA52DB6C3DE688D0582AD
                                                        Function 00699C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 006AB6E6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 006AB6F6
                                                          • Part of subcall function 006AB6E6: GetWindowTextLengthW.USER32(00000000), ref: 006AB6FF
                                                          • Part of subcall function 006AB6E6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 006AB729
                                                        • Sleep.KERNEL32(000001F4), ref: 00699C95
                                                        • Sleep.KERNEL32(00000064), ref: 00699D1F
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Window$SleepText$ForegroundLength
                                                        • String ID: [ $ ]
                                                        • API String ID: 3309952895-93608704
                                                        • Opcode ID: a6e435285e5fa1e5fff0bed739503e3bb1162de60a96f0017e27fd72f13348fd
                                                        • Instruction ID: f21a8dfc85ed80f8c5aa764cd07bbc1218619a2a4d43efaeb9bbb64dc424de9b
                                                        • Opcode Fuzzy Hash: a6e435285e5fa1e5fff0bed739503e3bb1162de60a96f0017e27fd72f13348fd
                                                        • Instruction Fuzzy Hash: EF11D5315047049BCA58B734DC57AAE77AFAF52700F50042DF54317AD3EF21AB1986DA
                                                        Function 006D2CD2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: e45e58370b08d8bc1d17010104812a81a3169ff9e9ee4555da577ef40a1426db
                                                        • Instruction ID: d65835eef20776945b65c421009c36253455d295a10c765c44a408959805d10f
                                                        • Opcode Fuzzy Hash: e45e58370b08d8bc1d17010104812a81a3169ff9e9ee4555da577ef40a1426db
                                                        • Instruction Fuzzy Hash: 4F012BB2A093073EE76016786CD1FA7231FDFA43B4B35072BF421A53D1DA208C054074
                                                        Function 006D2D51 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                        Download Yara Rule
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID:
                                                        • API String ID:
                                                        • Opcode ID: a7f6375e415319a15f04015add6367a3038c54ae863f4ae02544cfe2dd3b8e9b
                                                        • Instruction ID: d1b56d1056202b2ee20bffdc7834f636a97b80be17534e03617d7d5edf580cd4
                                                        • Opcode Fuzzy Hash: a7f6375e415319a15f04015add6367a3038c54ae863f4ae02544cfe2dd3b8e9b
                                                        • Instruction Fuzzy Hash: 8C01D1B2E0921B7EE7601A78ACE0DA7226FDFA13B8335132BF521623D1EA308C115160
                                                        Function 006C80F5 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • ___BuildCatchObject.LIBVCRUNTIME ref: 006C810F
                                                          • Part of subcall function 006C805C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 006C808B
                                                          • Part of subcall function 006C805C: ___AdjustPointer.LIBCMT ref: 006C80A6
                                                        • _UnwindNestedFrames.LIBCMT ref: 006C8124
                                                        • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 006C8135
                                                        • CallCatchBlock.LIBVCRUNTIME ref: 006C815D
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                        • String ID:
                                                        • API String ID: 737400349-0
                                                        • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                        • Instruction ID: b0bbf34b7ba0a9b2f67daf8950059b0f16308a5a6bb4ec631aa1452b365df4c3
                                                        • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                        • Instruction Fuzzy Hash: E4012932100109BFCF225E95CC46EFB3B6AEF48754F05401CFE0866121DB32E861DBA4
                                                        Function 006AB61A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00699F65), ref: 006AB633
                                                        • GetFileSize.KERNEL32(00000000,00000000), ref: 006AB647
                                                        • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 006AB66C
                                                        • CloseHandle.KERNEL32(00000000), ref: 006AB67A
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: File$CloseCreateHandleReadSize
                                                        • String ID:
                                                        • API String ID: 3919263394-0
                                                        • Opcode ID: 8f15901814309b6096eb3e4659b679a9de19eed83ce9aeeda77d775991a91f4f
                                                        • Instruction ID: 67b9f6ad64fa6434dd3419f6659986fc68b21963d85a0f0adbd6518f80c5a492
                                                        • Opcode Fuzzy Hash: 8f15901814309b6096eb3e4659b679a9de19eed83ce9aeeda77d775991a91f4f
                                                        • Instruction Fuzzy Hash: 64F090B1206309BFE7112B25BCC9FBF379EEB877A5F10222DFA02A6291DA614D055531
                                                        Function 006A850C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetSystemMetrics.USER32(0000004C), ref: 006A8519
                                                        • GetSystemMetrics.USER32(0000004D), ref: 006A851F
                                                        • GetSystemMetrics.USER32(0000004E), ref: 006A8525
                                                        • GetSystemMetrics.USER32(0000004F), ref: 006A852B
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: MetricsSystem
                                                        • String ID:
                                                        • API String ID: 4116985748-0
                                                        • Opcode ID: 2caa24e717d218fa85c4e65b129df2a06ffe37b28902badcf4f69251f59ac410
                                                        • Instruction ID: 2e1a4805e81c4188bbcd401dc30fad0ea64aa4467752a94b6b0dece882d56268
                                                        • Opcode Fuzzy Hash: 2caa24e717d218fa85c4e65b129df2a06ffe37b28902badcf4f69251f59ac410
                                                        • Instruction Fuzzy Hash: CAF0D662F043255FCB40BA784C4562FABD79FD22A0F25482EEA059B341DEB4EC064BD5
                                                        Function 006AB37D Relevance: 6.0, APIs: 4, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 006AB395
                                                        • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 006AB3A8
                                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 006AB3D3
                                                        • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 006AB3DB
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: CloseHandleOpenProcess
                                                        • String ID:
                                                        • API String ID: 39102293-0
                                                        • Opcode ID: fb79fa8cfe3d9c8afe803bb76b63a4e6e1373a6636e101155adfc325625e7934
                                                        • Instruction ID: c7d18c15d51d4d3057c4130aff11f4c30c3318631845b6c8e7b44665dc9e04c7
                                                        • Opcode Fuzzy Hash: fb79fa8cfe3d9c8afe803bb76b63a4e6e1373a6636e101155adfc325625e7934
                                                        • Instruction Fuzzy Hash: 5AF07871204316ABDB0473649C8EFBBB26EDF40781F101015FA41E62A2FFB08D414B24
                                                        Function 006D1EDD Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • __startOneArgErrorHandling.LIBCMT ref: 006D1F6D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorHandling__start
                                                        • String ID: pow
                                                        • API String ID: 3213639722-2276729525
                                                        • Opcode ID: 10ecc8a499c5c5ecc5bb6e5ffa5a722b521e3f733a0e5fdfe3fc0f58189321d9
                                                        • Instruction ID: 646a3164e7e0467fc66495129e8a2b303cc6289b8413c48c8db55ebc3d19b05d
                                                        • Opcode Fuzzy Hash: 10ecc8a499c5c5ecc5bb6e5ffa5a722b521e3f733a0e5fdfe3fc0f58189321d9
                                                        • Instruction Fuzzy Hash: 5651AD61E0824BA6CB117B14D9513FA2BD39B41720F309D5BF0854A3E9EF75CCE1DA86
                                                        Function 006DDB34 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 006DDB59
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Info
                                                        • String ID: $fm
                                                        • API String ID: 1807457897-4209510012
                                                        • Opcode ID: 96994821ae4e74c51c0a6f0f8620fc24a8b42591a4ef74633a9a907efef65fc7
                                                        • Instruction ID: d77302051a56cc4b2e41d3e9a01858489d9bd1636c8986ea3dbdaeab9b21f1d1
                                                        • Opcode Fuzzy Hash: 96994821ae4e74c51c0a6f0f8620fc24a8b42591a4ef74633a9a907efef65fc7
                                                        • Instruction Fuzzy Hash: 1041E9B090439C9ADB259F248C84FF6BBBFDB45308F1404EEE59A87342D275AA45DF60
                                                        Function 006E08DE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,006E0B39,?,00000050,?,?,?,?,?), ref: 006E09B9
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID:
                                                        • String ID: ACP$OCP
                                                        • API String ID: 0-711371036
                                                        • Opcode ID: ca83622ebf514658173bb2ec0d0706996be17ee7236ce32fcc934814dff6e2ac
                                                        • Instruction ID: af5c82a8d8385a1ee67301a10a9e170e0fd25fe805b293788598d0da7fc30682
                                                        • Opcode Fuzzy Hash: ca83622ebf514658173bb2ec0d0706996be17ee7236ce32fcc934814dff6e2ac
                                                        • Instruction Fuzzy Hash: 67210662A06381A6F7308F569801BD773A7AB64B20F565864E949D7307F7B2DDC0C390
                                                        Function 006949BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocalTime.KERNEL32(?,00703EE8,007045A8,?,?,?,?,?,?,?,006A4D7D,?,00000001,0000004C,00000000), ref: 006949F1
                                                          • Part of subcall function 006AA686: GetLocalTime.KERNEL32(00000000), ref: 006AA6A0
                                                        • GetLocalTime.KERNEL32(?,00703EE8,007045A8,?,?,?,?,?,?,?,006A4D7D,?,00000001,0000004C,00000000), ref: 00694A4E
                                                        Strings
                                                        • KeepAlive | Enabled | Timeout: , xrefs: 006949E5
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LocalTime
                                                        • String ID: KeepAlive | Enabled | Timeout:
                                                        • API String ID: 481472006-1507639952
                                                        • Opcode ID: a373d4956dcc968f10628f06e6b0a669fddeaa2a07d5140f0ca20a34e295d621
                                                        • Instruction ID: 66d572e314044d96c70d2302bc9d029b9cee978802301b0f1f7e69040ca98cdf
                                                        • Opcode Fuzzy Hash: a373d4956dcc968f10628f06e6b0a669fddeaa2a07d5140f0ca20a34e295d621
                                                        • Instruction Fuzzy Hash: 62213B71904680AFCB50F768CC06B6A7BDF5B92314F44410DE64147661EF265A09CB9F
                                                        Function 00438450 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 68COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetClassInfoA.USER32(?,-0000007C,?), ref: 004384AF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3852697446.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                        • Associated: 00000005.00000002.3852676846.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3852803469.0000000000446000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3853277306.0000000000454000.00000008.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3853306344.0000000000483000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3853306344.000000000057A000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        • Associated: 00000005.00000002.3853306344.00000000005A9000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_400000_IXCbn4ZcdS.jbxd
                                                        Similarity
                                                        • API ID: ClassInfo
                                                        • String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
                                                        • API String ID: 3534257612-2801496823
                                                        • Opcode ID: dbe3cc86fff193af0684558f81ef42c515353e085cb2aed473aa4667f0f1f147
                                                        • Instruction ID: b8301b33258d6b108bdec7fe8fd4c628fef138bfb49540b2024fb64cfbea2f2c
                                                        • Opcode Fuzzy Hash: dbe3cc86fff193af0684558f81ef42c515353e085cb2aed473aa4667f0f1f147
                                                        • Instruction Fuzzy Hash: 2721307190020AAF9B10EFA5D8419DFBBB8EE59354F00402FF904E3201E7789951CBA9
                                                        Function 006D7174 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 65libraryloaderCOMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • GetProcAddress.KERNEL32(00000000,?), ref: 006D71D4
                                                        • __crt_fast_encode_pointer.LIBVCRUNTIME ref: 006D71E1
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: AddressProc__crt_fast_encode_pointer
                                                        • String ID: Bp
                                                        • API String ID: 2279764990-1987823655
                                                        • Opcode ID: c630ced5a5e3b47cf66a59cc8388d5dcaf662ae9601a9b2b2fe9020e1cfc1db3
                                                        • Instruction ID: 5a6e3359aee0bae3ce3331d1d6794d566eeb83d2d62412bb0ca75de5762e72c5
                                                        • Opcode Fuzzy Hash: c630ced5a5e3b47cf66a59cc8388d5dcaf662ae9601a9b2b2fe9020e1cfc1db3
                                                        • Instruction Fuzzy Hash: 4711AB33E045659BDB229F59DC40A9A7357AB81360B1A8322FD15EB344EA30DD0186E5
                                                        Function 006AA686 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetLocalTime.KERNEL32(00000000), ref: 006AA6A0
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LocalTime
                                                        • String ID: | $%02i:%02i:%02i:%03i
                                                        • API String ID: 481472006-2430845779
                                                        • Opcode ID: 1c8086262773fd6d59654dccd0bce15f663f47631c2ae8b4e3a306f08231fd32
                                                        • Instruction ID: 397401ea122245ddb7fa4e2b27958090dbec1b2ef3e10a09ecb5141a7ec4d194
                                                        • Opcode Fuzzy Hash: 1c8086262773fd6d59654dccd0bce15f663f47631c2ae8b4e3a306f08231fd32
                                                        • Instruction Fuzzy Hash: 7711B2725082059BCB44FBA0D8528BF73EEAF95700F10452EFD86C6591EF34DA48C75A
                                                        Function 006C3D2C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • IsProcessorFeaturePresent.KERNEL32(00000017), ref: 006C419B
                                                        • ___raise_securityfailure.LIBCMT ref: 006C4282
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: FeaturePresentProcessor___raise_securityfailure
                                                        • String ID: Bp
                                                        • API String ID: 3761405300-1987823655
                                                        • Opcode ID: 1c89b8f21dc76f7a7b9c475e66fa8429861c9284d270b1032a676f4bb1182da7
                                                        • Instruction ID: 4cace193035350334ff59136a6f19e1c7cad14a0239ecfbed3e7a3731c102b42
                                                        • Opcode Fuzzy Hash: 1c89b8f21dc76f7a7b9c475e66fa8429861c9284d270b1032a676f4bb1182da7
                                                        • Instruction Fuzzy Hash: 9A21D5B5500300DEE740EF55F956B503BA5FB48324F14CA2AE908A73A0DFB9A981CB98
                                                        Function 006A9E89 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • PathFileExistsW.SHLWAPI(00000000), ref: 006A9EAE
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ExistsFilePath
                                                        • String ID: alarm.wav$xIp
                                                        • API String ID: 1174141254-1267125726
                                                        • Opcode ID: ede98d83993f90f569cd16840418d738c8fd21ee7b117d16645a54a6ec7c8499
                                                        • Instruction ID: 683c3b6158d8c90105b785c8ca2990bd9b2679b2054fc3468f334e8d7b749087
                                                        • Opcode Fuzzy Hash: ede98d83993f90f569cd16840418d738c8fd21ee7b117d16645a54a6ec7c8499
                                                        • Instruction Fuzzy Hash: F801F51060820657CF44F674C856AAE778B4F83754F60012DF9964BAD2EF605E45C6EB
                                                        Function 0069A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                        Download Yara Rule
                                                        APIs
                                                          • Part of subcall function 0069A876: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0069A884
                                                          • Part of subcall function 0069A876: wsprintfW.USER32 ref: 0069A905
                                                          • Part of subcall function 006AA686: GetLocalTime.KERNEL32(00000000), ref: 006AA6A0
                                                        • CloseHandle.KERNEL32(?), ref: 0069A7CA
                                                        • UnhookWindowsHookEx.USER32 ref: 0069A7DD
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                        • String ID: Online Keylogger Stopped
                                                        • API String ID: 1623830855-1496645233
                                                        • Opcode ID: dbfd4454a5a5adb1d62821dcbf68b6be1d65bf044d7d6be9794b3ae57c2e7f72
                                                        • Instruction ID: 0ebe420ae652c2b6839e996a8c11b7a642e038a0de711fc6bd11dbfd37234cf1
                                                        • Opcode Fuzzy Hash: dbfd4454a5a5adb1d62821dcbf68b6be1d65bf044d7d6be9794b3ae57c2e7f72
                                                        • Instruction Fuzzy Hash: C5012435A046099BCF257BA8C80B3FDBBFB5B42310FA0000CE5421A992DB615946C7D7
                                                        Function 006916E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • waveInPrepareHeader.WINMM(?,00000020,?,?,00000000,00705B70,00703EE8,?,00000000,00691913), ref: 00691747
                                                        • waveInAddBuffer.WINMM(?,00000020,?,00000000,00691913), ref: 0069175D
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: wave$BufferHeaderPrepare
                                                        • String ID: T=p
                                                        • API String ID: 2315374483-2920900348
                                                        • Opcode ID: c6d2dc3c1ffe8c35c14b0213f26a49932420b354729514e5f33a86705efc67fb
                                                        • Instruction ID: 6841f54515f1a8427179e6d70c531f40c4391b779404300fc3626b094baf6c3e
                                                        • Opcode Fuzzy Hash: c6d2dc3c1ffe8c35c14b0213f26a49932420b354729514e5f33a86705efc67fb
                                                        • Instruction Fuzzy Hash: 9601A2B1301305EFDB409F24EC85A65BBBEFB49354B11823AB504CB7A1DF346C148B98
                                                        Function 006C360D Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 006C3DE7
                                                          • Part of subcall function 006C7BD7: RaiseException.KERNEL32(?,?,?,>l,00000000,00000000,?,?,?,?,?,Bp,006C3E09,?,006FD5EC), ref: 006C7C37
                                                        • __CxxThrowException@8.LIBVCRUNTIME ref: 006C3E04
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: Exception@8Throw$ExceptionRaise
                                                        • String ID: Bp
                                                        • API String ID: 3476068407-1987823655
                                                        • Opcode ID: b77d8254ad4a998c5945f139c6a7b1773dba9d9d39ae5ca410c043b15549fd58
                                                        • Instruction ID: 8d7941ce80087b75e31c2c90b844c75afb196d2beaf374552bc64fb11cbf6b6e
                                                        • Opcode Fuzzy Hash: b77d8254ad4a998c5945f139c6a7b1773dba9d9d39ae5ca410c043b15549fd58
                                                        • Instruction Fuzzy Hash: 0FF0903480420D768B04BAA5E81AEFD772FCE00310B10C22DBA25916E1EF70FB4A89D9
                                                        Function 006D7790 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • IsValidLocale.KERNEL32(00000000,j=m,00000000,00000001,?,?,006D3D6A,?,?,?,?,00000004), ref: 006D77DC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: LocaleValid
                                                        • String ID: IsValidLocaleName$j=m
                                                        • API String ID: 1901932003-4174365751
                                                        • Opcode ID: 02096d0328381f279be748944a6c36989da7f7e92d65aa5931b2c12e2d426f47
                                                        • Instruction ID: e39b891b833eb711660eabb3bf05a5815dc2a0506019e4c95e588b287c2f91f5
                                                        • Opcode Fuzzy Hash: 02096d0328381f279be748944a6c36989da7f7e92d65aa5931b2c12e2d426f47
                                                        • Instruction Fuzzy Hash: 57F05930A4531CF7CB106B20DC06FAD7B97CB04B10F008169BC04AA3C1EE715E0092D9
                                                        Function 00691D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: H_prolog
                                                        • String ID: T=p$T=p
                                                        • API String ID: 3519838083-1976066529
                                                        • Opcode ID: 1904208ad9e6e3b54ceb94b03861843eb941ebaca83aa93cdcf3ca28cb0e5d97
                                                        • Instruction ID: 3cc982f6898d8bb8f06e8bd7ea947861abe75f8d7945eae24cbadb8963437cb5
                                                        • Opcode Fuzzy Hash: 1904208ad9e6e3b54ceb94b03861843eb941ebaca83aa93cdcf3ca28cb0e5d97
                                                        • Instruction Fuzzy Hash: 1AF0E971B00212BBCF54AB65C80269EB7BEEF52364F10427EB012AB790CB754D04D699
                                                        Function 0069AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyState.USER32(00000011), ref: 0069AD5B
                                                          • Part of subcall function 00699B10: GetForegroundWindow.USER32(?,?,007040F8), ref: 00699B3F
                                                          • Part of subcall function 00699B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00699B4B
                                                          • Part of subcall function 00699B10: GetKeyboardLayout.USER32(00000000), ref: 00699B52
                                                          • Part of subcall function 00699B10: GetKeyState.USER32(00000010), ref: 00699B5C
                                                          • Part of subcall function 00699B10: GetKeyboardState.USER32(?,?,007040F8), ref: 00699B67
                                                          • Part of subcall function 00699B10: ToUnicodeEx.USER32(0070414C,?,?,?,00000010,00000000,00000000), ref: 00699B8A
                                                          • Part of subcall function 00699B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00699BE3
                                                          • Part of subcall function 00699D58: SetEvent.KERNEL32(?,?,00000000,0069A91C,00000000), ref: 00699D84
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                        • String ID: [AltL]$[AltR]
                                                        • API String ID: 2738857842-2658077756
                                                        • Opcode ID: c7143f9f967844ed5fc7397ade80fc420b569bcb4255cc9107102cb73fbebfe5
                                                        • Instruction ID: 872ba9be1a150671d6b1db44ca10f974e8d153d83fd64b1a875cc07767fb813a
                                                        • Opcode Fuzzy Hash: c7143f9f967844ed5fc7397ade80fc420b569bcb4255cc9107102cb73fbebfe5
                                                        • Instruction Fuzzy Hash: B0E09B31341A2917CCD8327DAA2F5FD395B8F42B61B80014DF5424FE99DD454E4843D7
                                                        Function 006D8803 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • _free.LIBCMT ref: 006D8825
                                                          • Part of subcall function 006D6AC5: HeapFree.KERNEL32(00000000,00000000,Bp,006DFA50,?,00000000,?,00000000,Bp,006DFCF4,?,00000007,?,Bp,006E0205,?), ref: 006D6ADB
                                                          • Part of subcall function 006D6AC5: GetLastError.KERNEL32(?), ref: 006D6AED
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ErrorFreeHeapLast_free
                                                        • String ID: `i$`i
                                                        • API String ID: 1353095263-430859523
                                                        • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                        • Instruction ID: 80d2ea265ea50cb1085b19f0c48a7212aecc04695a1bb6817827babcf1c969f9
                                                        • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                        • Instruction Fuzzy Hash: 69E092765003059F8720CF6CD400A82B7F5EF94360324853AF89ED3310D732E812CB40
                                                        Function 0069ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • GetKeyState.USER32(00000012), ref: 0069ADB5
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: State
                                                        • String ID: [CtrlL]$[CtrlR]
                                                        • API String ID: 1649606143-2446555240
                                                        • Opcode ID: 7d29597bc66ed68b83a91c3e6c32e9bda0318814b6b2f7bd68cc3eac027bb103
                                                        • Instruction ID: 6e392dbf60194974619b1ff73c38e0318529b7fe485253c06a11e9fad77e9742
                                                        • Opcode Fuzzy Hash: 7d29597bc66ed68b83a91c3e6c32e9bda0318814b6b2f7bd68cc3eac027bb103
                                                        • Instruction Fuzzy Hash: 29E04F31600B1A17CD54357D961E5BD299B8F42766F80010DE9434BEC5DA454E4822D7
                                                        Function 006A297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0069BFB2,00000000,007042E0,007042F8,?,pth_unenc), ref: 006A2988
                                                        • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 006A2998
                                                        Strings
                                                        • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 006A2986
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DeleteOpenValue
                                                        • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                        • API String ID: 2654517830-1051519024
                                                        • Opcode ID: c412ac5abf569dfaf0acbc6346b2ab07df5bb4da260593c7187cc1f48fd30e95
                                                        • Instruction ID: 7e74dc40554060420884ad63c4aa0d0ead54d1357f0eb1cc5cbe41044c2dc242
                                                        • Opcode Fuzzy Hash: c412ac5abf569dfaf0acbc6346b2ab07df5bb4da260593c7187cc1f48fd30e95
                                                        • Instruction Fuzzy Hash: F7E01270640305BBEF106F61EC46FDB37ADBB41B88F005154F505EA190E271DE05AA50
                                                        Function 0069AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0069AF84
                                                        • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0069AFAF
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: DeleteDirectoryFileRemove
                                                        • String ID: pth_unenc
                                                        • API String ID: 3325800564-4028850238
                                                        • Opcode ID: 144031d2b74f4fe626e151a91734ed4496b4cd3dd35d762dbd907b3ce4c79b31
                                                        • Instruction ID: abe1af1dc2e969fb30e058aeaef0eb7d306274260a5b5427b174e67e943bf21b
                                                        • Opcode Fuzzy Hash: 144031d2b74f4fe626e151a91734ed4496b4cd3dd35d762dbd907b3ce4c79b31
                                                        • Instruction Fuzzy Hash: D1E08C714143108FCB54AB70DC84AEBB79EBF06311F00591FF9D397A60DE249A48C794
                                                        Function 006A1699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                        Download Yara Rule
                                                        APIs
                                                        • TerminateProcess.KERNEL32(00000000,pth_unenc,0069E670), ref: 006A16A9
                                                        • WaitForSingleObject.KERNEL32(000000FF), ref: 006A16BC
                                                        Strings
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ObjectProcessSingleTerminateWait
                                                        • String ID: pth_unenc
                                                        • API String ID: 1872346434-4028850238
                                                        • Opcode ID: c942b713f4c6eb6ec7650989dd3d4f56cd7e4f98025921d66ec83a9a0be2090f
                                                        • Instruction ID: 8570f91de0c6067fff70fabf2464cd78e71eb3469d999296945c1ae61cc3ea7d
                                                        • Opcode Fuzzy Hash: c942b713f4c6eb6ec7650989dd3d4f56cd7e4f98025921d66ec83a9a0be2090f
                                                        • Instruction Fuzzy Hash: 3BD0C938659251DFD7414B60AC48B453A6AA705326F90D306F920453F0CB294464AA18
                                                        Function 006CFA5E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                        Download Yara Rule
                                                        APIs
                                                        • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00691AD8), ref: 006CFAF4
                                                        • GetLastError.KERNEL32 ref: 006CFB02
                                                        • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 006CFB5D
                                                        Memory Dump Source
                                                        • Source File: 00000005.00000002.3857687069.0000000000690000.00000040.00000400.00020000.00000000.sdmp, Offset: 00690000, based on PE: true
                                                        Joe Sandbox IDA Plugin
                                                        • Snapshot File: hcaresult_5_2_690000_IXCbn4ZcdS.jbxd
                                                        Yara matches
                                                        Similarity
                                                        • API ID: ByteCharMultiWide$ErrorLast
                                                        • String ID:
                                                        • API String ID: 1717984340-0
                                                        • Opcode ID: 9c0bad31fc79e202073058514d95c69798cbaeccdd31ac451ee7987849c33064
                                                        • Instruction ID: 931b0c91853be4232e687070b521ef7077c69bf80f3047977d27713c2d67d199
                                                        • Opcode Fuzzy Hash: 9c0bad31fc79e202073058514d95c69798cbaeccdd31ac451ee7987849c33064
                                                        • Instruction Fuzzy Hash: E041AF31A04256AFCB258F64C894FFABBA7EF05320F1545BDF8599B2A5EB308D01C761