Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe

Overview

General Information

Sample name:17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe
Analysis ID:1585997
MD5:ea495dd5eeb51bc22024728189eec9f5
SHA1:16a1cfe7a570d466ac4ee04ccc1cb0e99a3d7f1d
SHA256:c64be040beacfa41be4b8280b4b02a7cfd5d4d81a75bc94e81d0848b7baa2f4f
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Contains functionality to bypass UAC (CMSTPLUA)
Detected Remcos RAT
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: Remcos
Suricata IDS alerts for network traffic
Yara detected Remcos RAT
Yara detected UAC Bypass using CMSTP
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Contains functionality to register a low level keyboard hook
Contains functionality to steal Chrome passwords or cookies
Contains functionality to steal Firefox passwords or cookies
Contains functionalty to change the wallpaper
Delayed program exit found
Installs a global keyboard hook
Machine Learning detection for sample
Abnormal high CPU Usage
Contains functionality for read data from the clipboard
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to download and launch executables
Contains functionality to dynamically determine API calls
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to enumerate running services
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to modify clipboard data
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality to read the PEB
Contains functionality to read the clipboard data
Contains functionality to retrieve information about pressed keystrokes
Contains functionality to shutdown / reboot the system
Contains functionality to simulate mouse events
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses code obfuscation techniques (call, push, ret)
Yara detected Keylogger Generic
Yara signature match

Classification

Process Tree

  • System is w10x64
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
  • UAC-0050
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": ["municipioalcidiadechicamocha.ddnsgeek.com:1997:1"], "Assigned name": "07-01-25", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-I3QM17", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
    17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeJoeSecurity_RemcosYara detected Remcos RATJoe Security
      17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeWindows_Trojan_Remcos_b296e965unknownunknown
        • 0x6aaf8:$a1: Remcos restarted by watchdog!
        • 0x6b070:$a3: %02i:%02i:%02i:%03i
        17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeREMCOS_RAT_variantsunknownunknown
        • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
        • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
        • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
        • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
        • 0x64e04:$str_b2: Executing file:
        • 0x65c3c:$str_b3: GetDirectListeningPort
        • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
        • 0x65780:$str_b7: \update.vbs
        • 0x64e2c:$str_b9: Downloaded file:
        • 0x64e18:$str_b10: Downloading file:
        • 0x64ebc:$str_b12: Failed to upload file:
        • 0x65c04:$str_b13: StartForward
        • 0x65c24:$str_b14: StopForward
        • 0x656d8:$str_b15: fso.DeleteFile "
        • 0x6566c:$str_b16: On Error Resume Next
        • 0x65708:$str_b17: fso.DeleteFolder "
        • 0x64eac:$str_b18: Uploaded file:
        • 0x64e6c:$str_b19: Unable to delete:
        • 0x656a0:$str_b20: while fso.FileExists("
        • 0x65349:$str_c0: [Firefox StoredLogins not found]
        Click to see the 1 entries

        Dropped Files

        SourceRuleDescriptionAuthorStrings
        C:\ProgramData\remcos\logs.datJoeSecurity_RemcosYara detected Remcos RATJoe Security

          Memory Dumps

          SourceRuleDescriptionAuthorStrings
          00000000.00000002.4473586206.00000000023EF000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
            00000000.00000002.4473372206.00000000008A0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
              00000000.00000000.2024475770.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                00000000.00000000.2024475770.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
                  00000000.00000000.2024475770.0000000000457000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                    Click to see the 10 entries

                    Unpacked PEs

                    SourceRuleDescriptionAuthorStrings
                    0.2.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpackJoeSecurity_Keylogger_GenericYara detected Keylogger GenericJoe Security
                      0.2.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
                        0.2.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
                          0.2.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
                          • 0x6aaf8:$a1: Remcos restarted by watchdog!
                          • 0x6b070:$a3: %02i:%02i:%02i:%03i
                          0.2.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
                          • 0x64d94:$str_a1: C:\Windows\System32\cmd.exe
                          • 0x64d10:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                          • 0x64d10:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
                          • 0x65210:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
                          • 0x65810:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
                          • 0x64e04:$str_b2: Executing file:
                          • 0x65c3c:$str_b3: GetDirectListeningPort
                          • 0x65600:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
                          • 0x65780:$str_b7: \update.vbs
                          • 0x64e2c:$str_b9: Downloaded file:
                          • 0x64e18:$str_b10: Downloading file:
                          • 0x64ebc:$str_b12: Failed to upload file:
                          • 0x65c04:$str_b13: StartForward
                          • 0x65c24:$str_b14: StopForward
                          • 0x656d8:$str_b15: fso.DeleteFile "
                          • 0x6566c:$str_b16: On Error Resume Next
                          • 0x65708:$str_b17: fso.DeleteFolder "
                          • 0x64eac:$str_b18: Uploaded file:
                          • 0x64e6c:$str_b19: Unable to delete:
                          • 0x656a0:$str_b20: while fso.FileExists("
                          • 0x65349:$str_c0: [Firefox StoredLogins not found]
                          Click to see the 7 entries

                          Sigma Signatures

                          Stealing of Sensitive Information

                          barindex
                          Sigma detected: Remcos
                          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, ProcessId: 4996, TargetFilename: C:\ProgramData\remcos\logs.dat

                          Suricata Signatures

                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-01-08T15:59:00.009322+010020365941Malware Command and Control Activity Detected192.168.2.549704179.15.136.61997TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-01-08T15:59:01.305694+010028033043Unknown Traffic192.168.2.549705178.237.33.5080TCP
                          TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                          2025-01-08T15:58:59.136855+010028349361A Network Trojan was detected192.168.2.5556491.1.1.153UDP

                          Joe Sandbox Signatures

                          Click to jump to signature section

                          Show All Signature Results

                          AV Detection

                          barindex
                          Antivirus / Scanner detection for submitted sample
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeAvira: detected
                          Found malware configuration
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeMalware Configuration Extractor: Remcos {"Host:Port:Password": ["municipioalcidiadechicamocha.ddnsgeek.com:1997:1"], "Assigned name": "07-01-25", "Connect interval": "1", "Install flag": "Disable", "Setup HKCU\\Run": "Enable", "Setup HKLM\\Run": "Enable", "Install path": "Application path", "Copy file": "remcos.exe", "Startup value": "Disable", "Hide file": "Disable", "Mutex": "Rmc-I3QM17", "Keylog flag": "1", "Keylog path": "Application path", "Keylog file": "logs.dat", "Keylog crypt": "Disable", "Hide keylog file": "Disable", "Screenshot flag": "Disable", "Screenshot time": "1", "Take Screenshot option": "Disable", "Take screenshot title": "", "Take screenshot time": "5", "Screenshot path": "AppData", "Screenshot file": "Screenshots", "Screenshot crypt": "Disable", "Mouse option": "Disable", "Delete file": "Disable", "Audio record time": "5", "Audio folder": "MicRecords", "Connect delay": "0", "Copy folder": "Remcos", "Keylog folder": "remcos"}
                          Multi AV Scanner detection for submitted file
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeReversingLabs: Detection: 71%
                          Yara detected Remcos RAT
                          Source: Yara matchFile source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.2.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.4473586206.00000000023EF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4473372206.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2024475770.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4473372206.000000000085E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe PID: 4996, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                          AI detected suspicious sample
                          Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                          Machine Learning detection for sample
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeJoe Sandbox ML: detected
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0043294A CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,0_2_0043294A
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----memstr_fe63de29-6

                          Exploits

                          barindex
                          Yara detected UAC Bypass using CMSTP
                          Source: Yara matchFile source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.2.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000000.2024475770.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe PID: 4996, type: MEMORYSTR

                          Privilege Escalation

                          barindex
                          Contains functionality to bypass UAC (CMSTPLUA)
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00406764 _wcslen,CoGetObject,0_2_00406764
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B43F
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0044D5F9 FindFirstFileExA,0_2_0044D5F9
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C79
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06

                          Networking

                          barindex
                          Suricata IDS alerts for network traffic
                          Source: Network trafficSuricata IDS: 2834936 - Severity 1 - ETPRO MALWARE Observed DNS Query to Abused DDNS (ddnsgeek .com) : 192.168.2.5:55649 -> 1.1.1.1:53
                          Source: Network trafficSuricata IDS: 2036594 - Severity 1 - ET JA3 Hash - Remcos 3.x/4.x TLS Connection : 192.168.2.5:49704 -> 179.15.136.6:1997
                          C2 URLs / IPs found in malware configuration
                          Source: Malware configuration extractorURLs: municipioalcidiadechicamocha.ddnsgeek.com
                          Source: global trafficTCP traffic: 192.168.2.5:49704 -> 179.15.136.6:1997
                          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                          Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
                          Source: Joe Sandbox ViewASN Name: ColombiaMovilCO ColombiaMovilCO
                          Source: Network trafficSuricata IDS: 2803304 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern HCa : 192.168.2.5:49705 -> 178.237.33.50:80
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00426107 recv,0_2_00426107
                          Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
                          Source: global trafficDNS traffic detected: DNS query: municipioalcidiadechicamocha.ddnsgeek.com
                          Source: global trafficDNS traffic detected: DNS query: geoplugin.net
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000003.2046697094.00000000008C3000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000003.2046697094.00000000008A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeString found in binary or memory: http://geoplugin.net/json.gp/C
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000003.2046697094.00000000008A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp4
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000003.2046697094.00000000008A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp8#G
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000003.2046697094.00000000008A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpF#
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000003.2046697094.00000000008A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpJ
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.000000000085E000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpSystem32
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000003.2046697094.00000000008A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpg
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000003.2046697094.00000000008A0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpr&

                          Key, Mouse, Clipboard, Microphone and Screen Capturing

                          barindex
                          Contains functionality to register a low level keyboard hook
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_004099E4 SetWindowsHookExA 0000000D,004099D0,000000000_2_004099E4
                          Installs a global keyboard hook
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeWindows user hook set: 0 keyboard low level C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_004159C6 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,0_2_004159C6
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00409B10 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,ToUnicodeEx,0_2_00409B10
                          Source: Yara matchFile source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.2.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000000.2024475770.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe PID: 4996, type: MEMORYSTR

                          E-Banking Fraud

                          barindex
                          Yara detected Remcos RAT
                          Source: Yara matchFile source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.2.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.4473586206.00000000023EF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4473372206.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2024475770.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4473372206.000000000085E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe PID: 4996, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED

                          Spam, unwanted Advertisements and Ransom Demands

                          barindex
                          Contains functionalty to change the wallpaper
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0041BB87 SystemParametersInfoW,0_2_0041BB87

                          System Summary

                          barindex
                          Malicious sample detected (through community Yara rule)
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, type: SAMPLEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 0.2.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 0.2.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: 0.2.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 0.0.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 0.0.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
                          Source: 0.0.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
                          Source: 00000000.00000000.2024475770.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: Process Memory Space: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe PID: 4996, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeProcess Stats: CPU usage > 49%
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0041ACD1 OpenProcess,NtSuspendProcess,CloseHandle,0_2_0041ACD1
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0041ACFD OpenProcess,NtResumeProcess,CloseHandle,0_2_0041ACFD
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_004158B9 ExitWindowsEx,LoadLibraryA,GetProcAddress,0_2_004158B9
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_004520E20_2_004520E2
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0041D0810_2_0041D081
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0043D0A80_2_0043D0A8
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_004371600_2_00437160
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_004361BA0_2_004361BA
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_004262640_2_00426264
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_004313870_2_00431387
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0043652C0_2_0043652C
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0041E5EF0_2_0041E5EF
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0044C7490_2_0044C749
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_004367D60_2_004367D6
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_004267DB0_2_004267DB
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0043C9ED0_2_0043C9ED
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00432A590_2_00432A59
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00436A9D0_2_00436A9D
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0043CC1C0_2_0043CC1C
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00436D580_2_00436D58
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00434D320_2_00434D32
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0043CE4B0_2_0043CE4B
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00440E300_2_00440E30
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00426E830_2_00426E83
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00412F450_2_00412F45
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00452F100_2_00452F10
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00426FBD0_2_00426FBD
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: String function: 00401F66 appears 50 times
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: String function: 004020E7 appears 40 times
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: String function: 004338B5 appears 42 times
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: String function: 00433FC0 appears 55 times
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeStatic PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, type: SAMPLEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, type: SAMPLEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, type: SAMPLEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 0.2.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 0.2.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: 0.2.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 0.0.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 0.0.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
                          Source: 0.0.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
                          Source: 00000000.00000000.2024475770.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: Process Memory Space: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe PID: 4996, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
                          Source: classification engineClassification label: mal100.rans.troj.spyw.expl.evad.winEXE@1/2@2/2
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00416AB7 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,0_2_00416AB7
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0040E219 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CloseHandle,0_2_0040E219
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0041A64F FindResourceA,LoadResource,LockResource,SizeofResource,0_2_0041A64F
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BD4
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].jsonJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-I3QM17
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: Software\0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: Rmc-I3QM170_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: Exe0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: Exe0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: Rmc-I3QM170_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: 0DG0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: Inj0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: Inj0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: BG0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: BG0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: BG0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: @CG0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: BG0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: exepath0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: @CG0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: exepath0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: BG0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: licence0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: `=G0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: XCG0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: dCG0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: Administrator0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: User0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: del0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: del0_2_0040D767
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCommand line argument: del0_2_0040D767
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeReversingLabs: Detection: 71%
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeSection loaded: winmm.dllJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeSection loaded: urlmon.dllJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeSection loaded: wininet.dllJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeSection loaded: iertutil.dllJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeSection loaded: srvcli.dllJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeSection loaded: netutils.dllJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeSection loaded: iphlpapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeSection loaded: sspicli.dllJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeSection loaded: mswsock.dllJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeSection loaded: dnsapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeSection loaded: rasadhlp.dllJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeSection loaded: fwpuclnt.dllJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeSection loaded: cryptsp.dllJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeSection loaded: rsaenh.dllJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeSection loaded: cryptbase.dllJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeSection loaded: windows.storage.dllJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeSection loaded: wldp.dllJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeSection loaded: profapi.dllJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeSection loaded: kernel.appcore.dllJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeSection loaded: winhttp.dllJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeSection loaded: winnsi.dllJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeStatic PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCF3
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00434006 push ecx; ret 0_2_00434019
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_004567F0 push eax; ret 0_2_0045680E
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00455EBF push ecx; ret 0_2_00455ED2
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00406128 ShellExecuteW,URLDownloadToFileW,0_2_00406128
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00419BD4 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,0_2_00419BD4
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCF3
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                          Malware Analysis System Evasion

                          barindex
                          Delayed program exit found
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0040E54F Sleep,ExitProcess,0_2_0040E54F
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,0_2_004198D2
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeWindow / User API: threadDelayed 3882Jump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeWindow / User API: threadDelayed 5689Jump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeWindow / User API: foregroundWindowGot 1768Jump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe TID: 5788Thread sleep count: 172 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe TID: 5788Thread sleep time: -86000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe TID: 6640Thread sleep count: 3882 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe TID: 6640Thread sleep time: -11646000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe TID: 6640Thread sleep count: 5689 > 30Jump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe TID: 6640Thread sleep time: -17067000s >= -30000sJump to behavior
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0040B335 FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,0_2_0040B335
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0041B43F FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,FindClose,RemoveDirectoryW,GetLastError,FindClose,0_2_0041B43F
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0040B53A FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,0_2_0040B53A
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0044D5F9 FindFirstFileExA,0_2_0044D5F9
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_004089A9 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,__CxxThrowException@8,0_2_004089A9
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00406AC2 FindFirstFileW,FindNextFileW,0_2_00406AC2
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00407A8C __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,__CxxThrowException@8,0_2_00407A8C
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00418C79 FindFirstFileW,FindNextFileW,FindNextFileW,0_2_00418C79
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00408DA7 __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,0_2_00408DA7
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00406F06 SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,0_2_00406F06
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473493602.00000000008EC000.00000004.00000020.00020000.00000000.sdmp, 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.000000000085E000.00000004.00000020.00020000.00000000.sdmp, 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000003.2046771308.00000000008EC000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeAPI call chain: ExitProcess graph end nodegraph_0-48036
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A66D
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0041BCF3 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,0_2_0041BCF3
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00442564 mov eax, dword ptr fs:[00000030h]0_2_00442564
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0044E93E GetProcessHeap,0_2_0044E93E
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00434178 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,0_2_00434178
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0043A66D IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_0043A66D
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00433B54 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,0_2_00433B54
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00433CE7 SetUnhandledExceptionFilter,0_2_00433CE7
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe0_2_00410F36
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00418764 mouse_event,0_2_00418764
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.000000000085E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerGl
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.000000000085E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager17\]
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.000000000085E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager17\37K
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.000000000085E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager17\D
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.000000000085E000.00000004.00000020.00020000.00000000.sdmp, 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473493602.00000000008D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.000000000085E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager17\
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.000000000085E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Managerr|
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473493602.00000000008D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager)
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.000000000085E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager17\o
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.000000000085E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program ManagerV
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473493602.00000000008D4000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Program Manager?
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.000000000085E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
                          Source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.000000000085E000.00000004.00000020.00020000.00000000.sdmp, logs.dat.0.drBinary or memory string: [Program Manager]
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00433E1A cpuid 0_2_00433E1A
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: GetLocaleInfoA,0_2_0040E679
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004510CA
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_004470BE
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,0_2_004511F3
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004512FA
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,0_2_004513C7
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: GetLocaleInfoW,0_2_004475A7
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,0_2_00450A8F
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450D52
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450D07
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: EnumSystemLocalesW,0_2_00450DED
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,0_2_00450E7A
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_00404915 GetLocalTime,CreateEventA,CreateThread,0_2_00404915
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0041A7B2 GetComputerNameExW,GetUserNameW,0_2_0041A7B2
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: 0_2_0044801F _free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,0_2_0044801F
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                          Stealing of Sensitive Information

                          barindex
                          Yara detected Remcos RAT
                          Source: Yara matchFile source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.2.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.4473586206.00000000023EF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4473372206.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2024475770.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4473372206.000000000085E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe PID: 4996, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                          Contains functionality to steal Chrome passwords or cookies
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data0_2_0040B21B
                          Contains functionality to steal Firefox passwords or cookies
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\0_2_0040B335
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: \key3.db0_2_0040B335

                          Remote Access Functionality

                          barindex
                          Detected Remcos RAT
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeMutex created: \Sessions\1\BaseNamedObjects\Rmc-I3QM17Jump to behavior
                          Yara detected Remcos RAT
                          Source: Yara matchFile source: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, type: SAMPLE
                          Source: Yara matchFile source: 0.2.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 0.0.17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                          Source: Yara matchFile source: 00000000.00000002.4473586206.00000000023EF000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4473372206.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000000.2024475770.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                          Source: Yara matchFile source: 00000000.00000002.4473372206.000000000085E000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                          Source: Yara matchFile source: Process Memory Space: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe PID: 4996, type: MEMORYSTR
                          Source: Yara matchFile source: C:\ProgramData\remcos\logs.dat, type: DROPPED
                          Source: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exeCode function: cmd.exe0_2_00405042

                          Mitre Att&ck Matrix

                          ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                          Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                          Native API                          		1
                          DLL Side-Loading                          		1
                          DLL Side-Loading                          		1
                          Deobfuscate/Decode Files or Information                          		1
                          OS Credential Dumping                          		2
                          System Time Discovery                          		Remote Services11
                          Archive Collected Data                          		12
                          Ingress Tool Transfer                          		Exfiltration Over Other Network Medium1
                          System Shutdown/Reboot
                          CredentialsDomainsDefault Accounts12
                          Command and Scripting Interpreter                          		1
                          Windows Service                          		1
                          Bypass User Account Control                          		2
                          Obfuscated Files or Information                          		211
                          Input Capture                          		1
                          Account Discovery                          		Remote Desktop Protocol211
                          Input Capture                          		2
                          Encrypted Channel                          		Exfiltration Over Bluetooth1
                          Defacement
                          Email AddressesDNS ServerDomain Accounts2
                          Service Execution                          		Logon Script (Windows)1
                          Access Token Manipulation                          		1
                          DLL Side-Loading                          		2
                          Credentials In Files                          		1
                          System Service Discovery                          		SMB/Windows Admin Shares3
                          Clipboard Data                          		1
                          Non-Standard Port                          		Automated ExfiltrationData Encrypted for Impact
                          Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                          Windows Service                          		1
                          Bypass User Account Control                          		NTDS2
                          File and Directory Discovery                          		Distributed Component Object ModelInput Capture1
                          Remote Access Software                          		Traffic DuplicationData Destruction
                          Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                          Process Injection                          		1
                          Masquerading                          		LSA Secrets23
                          System Information Discovery                          		SSHKeylogging2
                          Non-Application Layer Protocol                          		Scheduled TransferData Encrypted for Impact
                          Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                          Virtualization/Sandbox Evasion                          		Cached Domain Credentials21
                          Security Software Discovery                          		VNCGUI Input Capture12
                          Application Layer Protocol                          		Data Transfer Size LimitsService Stop
                          DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                          Access Token Manipulation                          		DCSync1
                          Virtualization/Sandbox Evasion                          		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                          Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job11
                          Process Injection                          		Proc Filesystem2
                          Process Discovery                          		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                          Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAtHTML Smuggling/etc/passwd and /etc/shadow1
                          Application Window Discovery                          		Direct Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                          IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCronDynamic API ResolutionNetwork Sniffing1
                          System Owner/User Discovery                          		Shared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                          Behavior Graph

                          Hide Legend

                          Legend:

                          • Process
                          • Signature
                          • Created File
                          • DNS/IP Info
                          • Is Dropped
                          • Is Windows Process
                          • Number of created Registry Values
                          • Number of created Files
                          • Visual Basic
                          • Delphi
                          • Java
                          • .Net C# or VB.NET
                          • C, C++ or other language
                          • Is malicious
                          • Internet

                          Screenshots

                          Thumbnails

                          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                          windows-stand

                          Antivirus, Machine Learning and Genetic Malware Detection

                          Initial Sample

                          SourceDetectionScannerLabelLink
                          17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe71%ReversingLabsWin32.Backdoor.Remcos
                          17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe100%AviraBDS/Backdoor.Gen
                          17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe100%Joe Sandbox ML

                          Dropped Files

                          No Antivirus matches

                          Unpacked PE Files

                          No Antivirus matches

                          Domains

                          No Antivirus matches

                          URLs

                          SourceDetectionScannerLabelLink
                          municipioalcidiadechicamocha.ddnsgeek.com0%Avira URL Cloudsafe

                          Domains and IPs

                          Contacted Domains

                          NameIPActiveMaliciousAntivirus DetectionReputation
                          geoplugin.net
                          		178.237.33.50
                          		truefalse
                            		high
                            municipioalcidiadechicamocha.ddnsgeek.com
                            		179.15.136.6
                            		truetrue
                              		unknown

                              Contacted URLs

                              NameMaliciousAntivirus DetectionReputation
                              http://geoplugin.net/json.gpfalse
                                		high
                                municipioalcidiadechicamocha.ddnsgeek.comtrue
                                • Avira URL Cloud: safe
                                		unknown

                                URLs from Memory and Binaries

                                NameSourceMaliciousAntivirus DetectionReputation
                                http://geoplugin.net/json.gp417363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000003.2046697094.00000000008A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  		high
                                  http://geoplugin.net/json.gpF#17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000003.2046697094.00000000008A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                    		high
                                    http://geoplugin.net/json.gpg17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000003.2046697094.00000000008A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                      		high
                                      http://geoplugin.net/json.gp8#G17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000003.2046697094.00000000008A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		high
                                        http://geoplugin.net/17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000003.2046697094.00000000008C3000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		high
                                          http://geoplugin.net/json.gp/C17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exefalse
                                            		high
                                            http://geoplugin.net/json.gpr&17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000003.2046697094.00000000008A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                              		high
                                              http://geoplugin.net/json.gpJ17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000003.2046697094.00000000008A0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                		high
                                                http://geoplugin.net/json.gpSystem3217363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, 00000000.00000002.4473372206.000000000085E000.00000004.00000020.00020000.00000000.sdmpfalse
                                                  		high

                                                  World Map of Contacted IPs

                                                  • No. of IPs < 25%
                                                  • 25% < No. of IPs < 50%
                                                  • 50% < No. of IPs < 75%
                                                  • 75% < No. of IPs

                                                  Public IPs

                                                  IPDomainCountryFlagASNASN NameMalicious
                                                  179.15.136.6
                                                  		municipioalcidiadechicamocha.ddnsgeek.comColombia
                                                  		27831ColombiaMovilCOtrue
                                                  178.237.33.50
                                                  		geoplugin.netNetherlands
                                                  		8455ATOM86-ASATOM86NLfalse

                                                  General Information

                                                  Joe Sandbox version:41.0.0 Charoite
                                                  Analysis ID:1585997
                                                  Start date and time:2025-01-08 15:58:09 +01:00
                                                  Joe Sandbox product:CloudBasic
                                                  Overall analysis duration:0h 6m 34s
                                                  Hypervisor based Inspection enabled:false
                                                  Report type:full
                                                  Cookbook file name:default.jbs
                                                  Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                  Number of analysed new started processes analysed:4
                                                  Number of new started drivers analysed:0
                                                  Number of existing processes analysed:0
                                                  Number of existing drivers analysed:0
                                                  Number of injected processes analysed:0
                                                  Technologies:
                                                  • HCA enabled
                                                  • EGA enabled
                                                  • AMSI enabled
                                                  Analysis Mode:default
                                                  Analysis stop reason:Timeout
                                                  Sample name:17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe
                                                  Detection:MAL
                                                  Classification:mal100.rans.troj.spyw.expl.evad.winEXE@1/2@2/2
                                                  EGA Information:
                                                  • Successful, ratio: 100%
                                                  HCA Information:
                                                  • Successful, ratio: 100%
                                                  • Number of executed functions: 37
                                                  • Number of non-executed functions: 202
                                                  Cookbook Comments:
                                                  • Found application associated with file extension: .exe
                                                  • Override analysis time to 240s for sample files taking high CPU consumption

                                                  Warnings

                                                  • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                                                  • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.107.246.45
                                                  • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                  • Report size getting too big, too many NtQueryValueKey calls found.
                                                  • VT rate limit hit for: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe

                                                  Simulations

                                                  Behavior and APIs

                                                  TimeTypeDescription
                                                  09:59:30API Interceptor6511679x Sleep call for process: 17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe modified

                                                  Joe Sandbox View / Context

                                                  IPs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  178.237.33.50DHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                  • geoplugin.net/json.gp
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  4XYAW8PbZH.exeGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp
                                                  iGhDjzEiDU.exeGet hashmaliciousRemcosBrowse
                                                  • geoplugin.net/json.gp

                                                  Domains

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  geoplugin.netDHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                  • 178.237.33.50
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  4XYAW8PbZH.exeGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  iGhDjzEiDU.exeGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50

                                                  ASNs

                                                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                  ATOM86-ASATOM86NLDHL_Awb_Shipping_Invoice_doc_010720257820020031808174CN1800301072025.bat.exeGet hashmaliciousRemcos, GuLoaderBrowse
                                                  • 178.237.33.50
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  RailProvides_nopump.exeGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  9W9jJCj9EV.batGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  17360626254f6ab0798f0d71fe81e2d058a575b873a7088f40695d7fd8031d0961d3a3694a780.dat-decoded.exeGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  Tax_Refund_Claim_2024_Australian_Taxation_Office.jsGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  c2.htaGet hashmaliciousRemcosBrowse
                                                  • 178.237.33.50
                                                  ColombiaMovilCOsh4.elfGet hashmaliciousMiraiBrowse
                                                  • 177.252.126.19
                                                  armv5l.elfGet hashmaliciousUnknownBrowse
                                                  • 191.93.155.250
                                                  Fantazy.x86.elfGet hashmaliciousUnknownBrowse
                                                  • 179.12.199.43
                                                  armv5l.elfGet hashmaliciousUnknownBrowse
                                                  • 191.91.160.57
                                                  kwari.arm.elfGet hashmaliciousUnknownBrowse
                                                  • 181.204.131.174
                                                  2LDJIyMl2r.exeGet hashmaliciousRemcosBrowse
                                                  • 181.71.216.203
                                                  telnet.ppc.elfGet hashmaliciousUnknownBrowse
                                                  • 177.252.126.11
                                                  loligang.mpsl.elfGet hashmaliciousMiraiBrowse
                                                  • 186.181.45.206
                                                  armv6l.elfGet hashmaliciousUnknownBrowse
                                                  • 186.180.36.76
                                                  nshkmips.elfGet hashmaliciousMiraiBrowse
                                                  • 191.92.238.158

                                                  JA3 Fingerprints

                                                  No context

                                                  Dropped Files

                                                  No context

                                                  Created / dropped Files

                                                  C:\ProgramData\remcos\logs.dat

                                                  Download File
                                                  Process:C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe
                                                  File Type:data
                                                  Category:dropped
                                                  Size (bytes):144
                                                  Entropy (8bit):3.3603882199736725
                                                  Encrypted:false
                                                  SSDEEP:3:rgls1kAod4b5JWRal2Jl+7R0DAlBG45klovDl6v:MlsOtCb5YcIeeDAlOWAv
                                                  MD5:B3C07FF4B2552E3A651E2C4776EDEEDD
                                                  SHA1:E6FC0B7DB8BBC83F28D75807B216EFD3FC322881
                                                  SHA-256:349EB4896E4182A12CF3F62F963BFCD1805358D125E7FEB28C17C71673BDA0F9
                                                  SHA-512:958255E22B4045B4114D33750D31069FA5CE0CEC7A8049DBBE91A5EB4F679CDD599B7874236346594907E1075AA1186F306269E8BA9AE07D7FD222D39B6F2D37
                                                  Malicious:true
                                                  Yara Hits:
                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: C:\ProgramData\remcos\logs.dat, Author: Joe Security
                                                  Reputation:low
                                                  Preview:....[.2.0.2.5./.0.1./.0.8. .0.9.:.5.8.:.5.8. .O.f.f.l.i.n.e. .K.e.y.l.o.g.g.e.r. .S.t.a.r.t.e.d.].........[.P.r.o.g.r.a.m. .M.a.n.a.g.e.r.].....

                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\T9RRWRNL\json[1].json

                                                  Download File
                                                  Process:C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe
                                                  File Type:JSON data
                                                  Category:dropped
                                                  Size (bytes):963
                                                  Entropy (8bit):5.019506780280991
                                                  Encrypted:false
                                                  SSDEEP:12:tkluWJmnd6CsGkMyGWKyGXPVGArwY307f7aZHI7GZArpv/mOAaNO+ao9W7iN5zzd:qlupdRNuKyGX85jvXhNlT3/7AcV9Wro
                                                  MD5:7459F6DA71CD5EAF9DBE2D20CA9434AC
                                                  SHA1:4F60E33E15277F7A632D8CD058EC7DF4728B40BC
                                                  SHA-256:364A445C3A222EE10A8816F78283BBD0503A5E5824B2A7F5DCD8E6DA9148AF6A
                                                  SHA-512:3A862711D78F6F97F07E01ACC0DCB54F595A23AACEA9F2BB9606382805E1E92C1ACE09E1446F312F3B6D4EE63435ABEF46F0C16F015BD505347A1BCF2E149841
                                                  Malicious:false
                                                  Reputation:moderate, very likely benign file
                                                  Preview:{. "geoplugin_request":"8.46.123.189",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"New York",. "geoplugin_region":"New York",. "geoplugin_regionCode":"NY",. "geoplugin_regionName":"New York",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"501",. "geoplugin_countryCode":"US",. "geoplugin_countryName":"United States",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"NA",. "geoplugin_continentName":"North America",. "geoplugin_latitude":"40.7123",. "geoplugin_longitude":"-74.0068",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"America\/New_York",. "geoplugin_currencyCode":"USD",. "geoplugin_currencySymbol":"$",. "geoplugin_currencySymbol_UTF8":"$",. "geoplugin_currencyConverter":0.}

                                                  Static File Info

                                                  General

                                                  File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                  Entropy (8bit):6.586551424257945
                                                  TrID:
                                                  • Win32 Executable (generic) a (10002005/4) 99.96%
                                                  • Generic Win/DOS Executable (2004/3) 0.02%
                                                  • DOS Executable Generic (2002/1) 0.02%
                                                  • Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
                                                  File name:17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe
                                                  File size:493'056 bytes
                                                  MD5:ea495dd5eeb51bc22024728189eec9f5
                                                  SHA1:16a1cfe7a570d466ac4ee04ccc1cb0e99a3d7f1d
                                                  SHA256:c64be040beacfa41be4b8280b4b02a7cfd5d4d81a75bc94e81d0848b7baa2f4f
                                                  SHA512:5f5a197b959a76627617afe71d6cc10a82e4db283a3e06e1c4ec036b7a530800d4e2f899cba87090cc389fbe11b78ed6e1b8e42175e11bbb8da9e947a1e5f7c5
                                                  SSDEEP:12288:L9PgP3HAMwIGjY4vce6lnBthn5HSRVMf139F5woxr+IwtHwBtFhCsvZD5Y+P32:Z43HfwIGYMcn5PJrZq+
                                                  TLSH:A9A4BE01B6D2C072D57625300D26E775DEBDBD212835897BB3DA1D67FE30180E63AAB2
                                                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........)...H...H...H....(..H....*..H....+..H...0]..H..&....H... ...H... ...H... ...H...0J..H...H...I...!...H...!&..H...!...H..Rich.H.

                                                  File Icon

                                                  Icon Hash:95694d05214c1b33

                                                  Static PE Info

                                                  General

                                                  Entrypoint:0x433b4a
                                                  Entrypoint Section:.text
                                                  Digitally signed:false
                                                  Imagebase:0x400000
                                                  Subsystem:windows gui
                                                  Image File Characteristics:EXECUTABLE_IMAGE, 32BIT_MACHINE
                                                  DLL Characteristics:TERMINAL_SERVER_AWARE
                                                  Time Stamp:0x6752B172 [Fri Dec 6 08:10:26 2024 UTC]
                                                  TLS Callbacks:
                                                  CLR (.Net) Version:
                                                  OS Version Major:5
                                                  OS Version Minor:1
                                                  File Version Major:5
                                                  File Version Minor:1
                                                  Subsystem Version Major:5
                                                  Subsystem Version Minor:1
                                                  Import Hash:e77512f955eaf60ccff45e02d69234de

                                                  Entrypoint Preview

                                                  Instruction
                                                  call 00007FE258E51413h
                                                  jmp 00007FE258E50D6Fh
                                                  push ebp
                                                  mov ebp, esp
                                                  sub esp, 00000324h
                                                  push ebx
                                                  push 00000017h
                                                  call 00007FE258E73249h
                                                  test eax, eax
                                                  je 00007FE258E50EF7h
                                                  mov ecx, dword ptr [ebp+08h]
                                                  int 29h
                                                  push 00000003h
                                                  call 00007FE258E510B4h
                                                  mov dword ptr [esp], 000002CCh
                                                  lea eax, dword ptr [ebp-00000324h]
                                                  push 00000000h
                                                  push eax
                                                  call 00007FE258E533CBh
                                                  add esp, 0Ch
                                                  mov dword ptr [ebp-00000274h], eax
                                                  mov dword ptr [ebp-00000278h], ecx
                                                  mov dword ptr [ebp-0000027Ch], edx
                                                  mov dword ptr [ebp-00000280h], ebx
                                                  mov dword ptr [ebp-00000284h], esi
                                                  mov dword ptr [ebp-00000288h], edi
                                                  mov word ptr [ebp-0000025Ch], ss
                                                  mov word ptr [ebp-00000268h], cs
                                                  mov word ptr [ebp-0000028Ch], ds
                                                  mov word ptr [ebp-00000290h], es
                                                  mov word ptr [ebp-00000294h], fs
                                                  mov word ptr [ebp-00000298h], gs
                                                  pushfd
                                                  pop dword ptr [ebp-00000264h]
                                                  mov eax, dword ptr [ebp+04h]
                                                  mov dword ptr [ebp-0000026Ch], eax
                                                  lea eax, dword ptr [ebp+04h]
                                                  mov dword ptr [ebp-00000260h], eax
                                                  mov dword ptr [ebp-00000324h], 00010001h
                                                  mov eax, dword ptr [eax-04h]
                                                  push 00000050h
                                                  mov dword ptr [ebp-00000270h], eax
                                                  lea eax, dword ptr [ebp-58h]
                                                  push 00000000h
                                                  push eax
                                                  call 00007FE258E53341h

                                                  Rich Headers

                                                  Programming Language:
                                                  • [C++] VS2008 SP1 build 30729
                                                  • [IMP] VS2008 SP1 build 30729

                                                  Data Directories

                                                  NameVirtual AddressVirtual Size Is in Section
                                                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IMPORT0x6e0200x104.rdata
                                                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x760000x4ae4.rsrc
                                                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x7b0000x3b88.reloc
                                                  IMAGE_DIRECTORY_ENTRY_DEBUG0x6c5100x38.rdata
                                                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_TLS0x6c5e80x18.rdata
                                                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x6c5480x40.rdata
                                                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_IAT0x570000x4f4.rdata
                                                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                  Sections

                                                  NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                  .text0x10000x55f2d0x56000c9fb1fecb5f01a3c88e2bc00eccd57c4False0.5739377043968024data6.621523378040251IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                  .rdata0x570000x18b000x18c000ba285a9a28b1dec254a7539ab18f8d0False0.4981455176767677OpenPGP Secret Key Version 65.75873851406894IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .data0x700000x5d8c0xe0006414e748130e7e668ba2ba172d63448False0.22684151785714285data3.093339598098017IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                                                  .rsrc0x760000x4ae40x4c00d140542b2c0dc2064395c7456ed475f0False0.2780633223684211data3.982552908125509IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                  .reloc0x7b0000x3b880x3c00b875bbd60cc90da8a22f40034fe9606eFalse0.7575520833333333data6.702930468027394IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                  Resources

                                                  NameRVASizeTypeLanguageCountryZLIB Complexity
                                                  RT_ICON0x7618c0x468Device independent bitmap graphic, 16 x 32 x 32, image size 1088EnglishUnited States0.3421985815602837
                                                  RT_ICON0x765f40x988Device independent bitmap graphic, 24 x 48 x 32, image size 2400EnglishUnited States0.27704918032786885
                                                  RT_ICON0x76f7c0x10a8Device independent bitmap graphic, 32 x 64 x 32, image size 4224EnglishUnited States0.23686679174484052
                                                  RT_ICON0x780240x25a8Device independent bitmap graphic, 48 x 96 x 32, image size 9600EnglishUnited States0.22977178423236513
                                                  RT_RCDATA0x7a5cc0x4d8data1.0088709677419354
                                                  RT_GROUP_ICON0x7aaa40x3edataEnglishUnited States0.8064516129032258

                                                  Imports

                                                  DLLImport
                                                  KERNEL32.dllExpandEnvironmentStringsA, GetLongPathNameW, CopyFileW, GetLocaleInfoA, CreateToolhelp32Snapshot, Process32NextW, Process32FirstW, VirtualProtect, SetLastError, VirtualFree, VirtualAlloc, LoadLibraryA, GetNativeSystemInfo, HeapAlloc, GetProcessHeap, FreeLibrary, IsBadReadPtr, GetTempPathW, OpenProcess, OpenMutexA, lstrcatW, GetCurrentProcessId, GetTempFileNameW, GetSystemDirectoryA, GlobalAlloc, GlobalLock, GetTickCount, GlobalUnlock, WriteProcessMemory, ResumeThread, GetThreadContext, ReadProcessMemory, CreateProcessW, SetThreadContext, LocalAlloc, GlobalFree, MulDiv, SizeofResource, QueryDosDeviceW, FindFirstVolumeW, GetConsoleScreenBufferInfo, SetConsoleTextAttribute, lstrlenW, GetStdHandle, SetFilePointer, FindResourceA, LockResource, LoadResource, LocalFree, FindVolumeClose, GetVolumePathNamesForVolumeNameW, lstrcpyW, SetConsoleOutputCP, FormatMessageA, FindFirstFileA, AllocConsole, lstrcmpW, GetModuleFileNameA, lstrcpynA, QueryPerformanceFrequency, QueryPerformanceCounter, EnterCriticalSection, LeaveCriticalSection, InitializeCriticalSection, DeleteCriticalSection, HeapSize, WriteConsoleW, SetStdHandle, SetEnvironmentVariableW, SetEnvironmentVariableA, FreeEnvironmentStringsW, GetEnvironmentStringsW, GetCommandLineW, GetCommandLineA, GetOEMCP, IsValidCodePage, FindFirstFileExA, HeapReAlloc, ReadConsoleW, GetConsoleMode, GetConsoleCP, FlushFileBuffers, GetFileType, GetTimeZoneInformation, EnumSystemLocalesW, GetUserDefaultLCID, IsValidLocale, GetTimeFormatW, GetDateFormatW, GetACP, GetModuleHandleExW, MoveFileExW, LoadLibraryExW, RaiseException, RtlUnwind, GetCPInfo, GetStringTypeW, GetLocaleInfoW, LCMapStringW, CompareStringW, MultiByteToWideChar, DecodePointer, EncodePointer, TlsFree, TlsSetValue, GetFileSize, TerminateThread, GetLastError, GetModuleHandleA, RemoveDirectoryW, MoveFileW, SetFilePointerEx, CreateDirectoryW, GetLogicalDriveStringsA, DeleteFileW, FindNextFileA, DeleteFileA, SetFileAttributesW, GetFileAttributesW, FindClose, lstrlenA, GetDriveTypeA, FindNextFileW, GetFileSizeEx, FindFirstFileW, GetModuleHandleW, ExitProcess, GetProcAddress, CreateMutexA, GetCurrentProcess, CreateProcessA, PeekNamedPipe, CreatePipe, TerminateProcess, ReadFile, HeapFree, HeapCreate, CreateEventA, GetLocalTime, CreateThread, SetEvent, CreateEventW, WaitForSingleObject, Sleep, GetModuleFileNameW, CloseHandle, ExitThread, CreateFileW, WriteFile, FindNextVolumeW, TlsGetValue, TlsAlloc, SwitchToThread, WideCharToMultiByte, InitializeSListHead, GetSystemTimeAsFileTime, GetCurrentThreadId, IsProcessorFeaturePresent, GetStartupInfoW, SetUnhandledExceptionFilter, UnhandledExceptionFilter, IsDebuggerPresent, WaitForSingleObjectEx, ResetEvent, InitializeCriticalSectionAndSpinCount, SetEndOfFile
                                                  USER32.dllDefWindowProcA, TranslateMessage, DispatchMessageA, GetMessageA, GetWindowTextW, wsprintfW, GetClipboardData, UnhookWindowsHookEx, GetForegroundWindow, ToUnicodeEx, GetKeyboardLayout, SetWindowsHookExA, CloseClipboard, OpenClipboard, GetKeyboardState, CallNextHookEx, GetKeyboardLayoutNameA, GetKeyState, GetWindowTextLengthW, GetWindowThreadProcessId, SetForegroundWindow, SetClipboardData, EnumWindows, ExitWindowsEx, EmptyClipboard, ShowWindow, SetWindowTextW, MessageBoxW, IsWindowVisible, CreateWindowExA, SendInput, EnumDisplaySettingsW, mouse_event, MapVirtualKeyA, TrackPopupMenu, CreatePopupMenu, AppendMenuA, RegisterClassExA, GetCursorPos, SystemParametersInfoW, GetIconInfo, GetSystemMetrics, CloseWindow, DrawIcon
                                                  GDI32.dllBitBlt, CreateCompatibleBitmap, CreateCompatibleDC, StretchBlt, GetDIBits, DeleteDC, DeleteObject, CreateDCA, GetObjectA, SelectObject
                                                  ADVAPI32.dllLookupPrivilegeValueA, CryptAcquireContextA, CryptGenRandom, CryptReleaseContext, GetUserNameW, RegEnumKeyExA, QueryServiceStatus, CloseServiceHandle, OpenSCManagerW, OpenSCManagerA, ControlService, StartServiceW, QueryServiceConfigW, ChangeServiceConfigW, OpenServiceW, EnumServicesStatusW, AdjustTokenPrivileges, RegDeleteKeyA, OpenProcessToken, RegCreateKeyA, RegCloseKey, RegQueryInfoKeyW, RegQueryValueExA, RegCreateKeyExW, RegEnumKeyExW, RegSetValueExW, RegSetValueExA, RegOpenKeyExA, RegOpenKeyExW, RegCreateKeyW, RegDeleteValueW, RegEnumValueW, RegQueryValueExW
                                                  SHELL32.dllShellExecuteExA, Shell_NotifyIconA, ExtractIconA, ShellExecuteW
                                                  ole32.dllCoInitializeEx, CoGetObject, CoUninitialize
                                                  SHLWAPI.dllStrToIntA, PathFileExistsW, PathFileExistsA
                                                  WINMM.dllmciSendStringA, mciSendStringW, waveInClose, waveInStop, waveInStart, waveInUnprepareHeader, waveInOpen, waveInAddBuffer, waveInPrepareHeader, PlaySoundW
                                                  WS2_32.dllsend, WSAStartup, socket, connect, WSAGetLastError, recv, closesocket, inet_ntoa, htons, htonl, getservbyname, ntohs, getservbyport, gethostbyaddr, inet_addr, WSASetLastError, gethostbyname
                                                  urlmon.dllURLOpenBlockingStreamW, URLDownloadToFileW
                                                  gdiplus.dllGdipAlloc, GdiplusStartup, GdipGetImageEncoders, GdipLoadImageFromStream, GdipSaveImageToStream, GdipGetImageEncodersSize, GdipFree, GdipDisposeImage, GdipCloneImage
                                                  WININET.dllInternetOpenUrlW, InternetOpenW, InternetCloseHandle, InternetReadFile

                                                  Possible Origin

                                                  Language of compilation systemCountry where language is spokenMap
                                                  EnglishUnited States

                                                  Network Behavior

                                                  Suricata IDS Alerts

                                                  TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                  2025-01-08T15:58:59.136855+01002834936ETPRO MALWARE Observed DNS Query to Abused DDNS (ddnsgeek .com)1192.168.2.5556491.1.1.153UDP
                                                  2025-01-08T15:59:00.009322+01002036594ET JA3 Hash - Remcos 3.x/4.x TLS Connection1192.168.2.549704179.15.136.61997TCP
                                                  2025-01-08T15:59:01.305694+01002803304ETPRO MALWARE Common Downloader Header Pattern HCa3192.168.2.549705178.237.33.5080TCP

                                                  Network Port Distribution

                                                  TCP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 8, 2025 15:58:59.288496971 CET497041997192.168.2.5179.15.136.6
                                                  Jan 8, 2025 15:58:59.293318033 CET199749704179.15.136.6192.168.2.5
                                                  Jan 8, 2025 15:58:59.293531895 CET497041997192.168.2.5179.15.136.6
                                                  Jan 8, 2025 15:58:59.299230099 CET497041997192.168.2.5179.15.136.6
                                                  Jan 8, 2025 15:58:59.303994894 CET199749704179.15.136.6192.168.2.5
                                                  Jan 8, 2025 15:58:59.965807915 CET199749704179.15.136.6192.168.2.5
                                                  Jan 8, 2025 15:59:00.009321928 CET497041997192.168.2.5179.15.136.6
                                                  Jan 8, 2025 15:59:00.130131006 CET199749704179.15.136.6192.168.2.5
                                                  Jan 8, 2025 15:59:00.134810925 CET497041997192.168.2.5179.15.136.6
                                                  Jan 8, 2025 15:59:00.139678001 CET199749704179.15.136.6192.168.2.5
                                                  Jan 8, 2025 15:59:00.139764071 CET497041997192.168.2.5179.15.136.6
                                                  Jan 8, 2025 15:59:00.144546032 CET199749704179.15.136.6192.168.2.5
                                                  Jan 8, 2025 15:59:00.488974094 CET199749704179.15.136.6192.168.2.5
                                                  Jan 8, 2025 15:59:00.490710020 CET497041997192.168.2.5179.15.136.6
                                                  Jan 8, 2025 15:59:00.495564938 CET199749704179.15.136.6192.168.2.5
                                                  Jan 8, 2025 15:59:00.624861956 CET199749704179.15.136.6192.168.2.5
                                                  Jan 8, 2025 15:59:00.665566921 CET497041997192.168.2.5179.15.136.6
                                                  Jan 8, 2025 15:59:00.683285952 CET4970580192.168.2.5178.237.33.50
                                                  Jan 8, 2025 15:59:00.688038111 CET8049705178.237.33.50192.168.2.5
                                                  Jan 8, 2025 15:59:00.688122988 CET4970580192.168.2.5178.237.33.50
                                                  Jan 8, 2025 15:59:00.688273907 CET4970580192.168.2.5178.237.33.50
                                                  Jan 8, 2025 15:59:00.693099976 CET8049705178.237.33.50192.168.2.5
                                                  Jan 8, 2025 15:59:01.305501938 CET8049705178.237.33.50192.168.2.5
                                                  Jan 8, 2025 15:59:01.305694103 CET4970580192.168.2.5178.237.33.50
                                                  Jan 8, 2025 15:59:01.326508999 CET497041997192.168.2.5179.15.136.6
                                                  Jan 8, 2025 15:59:01.331424952 CET199749704179.15.136.6192.168.2.5
                                                  Jan 8, 2025 15:59:02.305114031 CET8049705178.237.33.50192.168.2.5
                                                  Jan 8, 2025 15:59:02.305352926 CET4970580192.168.2.5178.237.33.50
                                                  Jan 8, 2025 15:59:06.387217999 CET199749704179.15.136.6192.168.2.5
                                                  Jan 8, 2025 15:59:06.389035940 CET497041997192.168.2.5179.15.136.6
                                                  Jan 8, 2025 15:59:06.393855095 CET199749704179.15.136.6192.168.2.5
                                                  Jan 8, 2025 15:59:36.591298103 CET199749704179.15.136.6192.168.2.5
                                                  Jan 8, 2025 15:59:36.634300947 CET497041997192.168.2.5179.15.136.6
                                                  Jan 8, 2025 15:59:36.661509037 CET497041997192.168.2.5179.15.136.6
                                                  Jan 8, 2025 15:59:36.666273117 CET199749704179.15.136.6192.168.2.5
                                                  Jan 8, 2025 16:00:06.913180113 CET199749704179.15.136.6192.168.2.5
                                                  Jan 8, 2025 16:00:06.962445974 CET497041997192.168.2.5179.15.136.6
                                                  Jan 8, 2025 16:00:06.974782944 CET497041997192.168.2.5179.15.136.6
                                                  Jan 8, 2025 16:00:06.980097055 CET199749704179.15.136.6192.168.2.5
                                                  Jan 8, 2025 16:00:37.052062035 CET199749704179.15.136.6192.168.2.5
                                                  Jan 8, 2025 16:00:37.083256006 CET497041997192.168.2.5179.15.136.6
                                                  Jan 8, 2025 16:00:37.088067055 CET199749704179.15.136.6192.168.2.5
                                                  Jan 8, 2025 16:00:50.665761948 CET4970580192.168.2.5178.237.33.50
                                                  Jan 8, 2025 16:00:51.031011105 CET4970580192.168.2.5178.237.33.50
                                                  Jan 8, 2025 16:00:51.730292082 CET4970580192.168.2.5178.237.33.50
                                                  Jan 8, 2025 16:00:52.931355953 CET4970580192.168.2.5178.237.33.50
                                                  Jan 8, 2025 16:00:55.366604090 CET4970580192.168.2.5178.237.33.50
                                                  Jan 8, 2025 16:01:00.228116989 CET4970580192.168.2.5178.237.33.50
                                                  Jan 8, 2025 16:01:07.050503016 CET199749704179.15.136.6192.168.2.5
                                                  Jan 8, 2025 16:01:07.053564072 CET497041997192.168.2.5179.15.136.6
                                                  Jan 8, 2025 16:01:07.058571100 CET199749704179.15.136.6192.168.2.5
                                                  Jan 8, 2025 16:01:09.931256056 CET4970580192.168.2.5178.237.33.50
                                                  Jan 8, 2025 16:01:37.084625959 CET199749704179.15.136.6192.168.2.5
                                                  Jan 8, 2025 16:01:37.086237907 CET497041997192.168.2.5179.15.136.6
                                                  Jan 8, 2025 16:01:37.091037035 CET199749704179.15.136.6192.168.2.5
                                                  Jan 8, 2025 16:02:07.111696005 CET199749704179.15.136.6192.168.2.5
                                                  Jan 8, 2025 16:02:07.113153934 CET497041997192.168.2.5179.15.136.6
                                                  Jan 8, 2025 16:02:07.117913961 CET199749704179.15.136.6192.168.2.5
                                                  Jan 8, 2025 16:02:37.076360941 CET199749704179.15.136.6192.168.2.5
                                                  Jan 8, 2025 16:02:37.077791929 CET497041997192.168.2.5179.15.136.6
                                                  Jan 8, 2025 16:02:37.084650993 CET199749704179.15.136.6192.168.2.5

                                                  UDP Packets

                                                  TimestampSource PortDest PortSource IPDest IP
                                                  Jan 8, 2025 15:58:59.136854887 CET5564953192.168.2.51.1.1.1
                                                  Jan 8, 2025 15:58:59.283931971 CET53556491.1.1.1192.168.2.5
                                                  Jan 8, 2025 15:59:00.672534943 CET6025153192.168.2.51.1.1.1
                                                  Jan 8, 2025 15:59:00.679641962 CET53602511.1.1.1192.168.2.5

                                                  DNS Queries

                                                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                  Jan 8, 2025 15:58:59.136854887 CET192.168.2.51.1.1.10xc0aStandard query (0)municipioalcidiadechicamocha.ddnsgeek.comA (IP address)IN (0x0001)false
                                                  Jan 8, 2025 15:59:00.672534943 CET192.168.2.51.1.1.10xe787Standard query (0)geoplugin.netA (IP address)IN (0x0001)false

                                                  DNS Answers

                                                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                  Jan 8, 2025 15:58:59.283931971 CET1.1.1.1192.168.2.50xc0aNo error (0)municipioalcidiadechicamocha.ddnsgeek.com179.15.136.6A (IP address)IN (0x0001)false
                                                  Jan 8, 2025 15:59:00.679641962 CET1.1.1.1192.168.2.50xe787No error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                                                  HTTP Request Dependency Graph

                                                  • geoplugin.net

                                                  HTTP Packets

                                                  Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                  0192.168.2.549705178.237.33.50804996C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe
                                                  TimestampBytes transferredDirectionData
                                                  Jan 8, 2025 15:59:00.688273907 CET71OUTGET /json.gp HTTP/1.1
                                                  Host: geoplugin.net
                                                  Cache-Control: no-cache
                                                  Jan 8, 2025 15:59:01.305501938 CET1171INHTTP/1.1 200 OK
                                                  date: Wed, 08 Jan 2025 14:59:01 GMT
                                                  server: Apache
                                                  content-length: 963
                                                  content-type: application/json; charset=utf-8
                                                  cache-control: public, max-age=300
                                                  access-control-allow-origin: *
                                                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 32 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 73 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 0a 20 20 22 67 65 [TRUNCATED]
                                                  Data Ascii: { "geoplugin_request":"8.46.123.189", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite2 data created by MaxMind, available from <a href='https:\/\/www.maxmind.com'>https:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"New York", "geoplugin_region":"New York", "geoplugin_regionCode":"NY", "geoplugin_regionName":"New York", "geoplugin_areaCode":"", "geoplugin_dmaCode":"501", "geoplugin_countryCode":"US", "geoplugin_countryName":"United States", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"NA", "geoplugin_continentName":"North America", "geoplugin_latitude":"40.7123", "geoplugin_longitude":"-74.0068", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"America\/New_York", "geoplugin_currencyCode":"USD", "geoplugin_currencySymbol":"$", "geoplugin_currencySymbol_UTF8":"$", "geoplugin_currencyConverter":0}


                                                  Statistics

                                                  CPU Usage

                                                  Click to jump to process

                                                  Memory Usage

                                                  Click to jump to process

                                                  High Level Behavior Distribution

                                                  Click to dive into process behavior distribution

                                                  System Behavior

                                                  General

                                                  Target ID:0
                                                  Start time:09:58:58
                                                  Start date:08/01/2025
                                                  Path:C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe
                                                  Wow64 process (32bit):true
                                                  Commandline:"C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe"
                                                  Imagebase:0x400000
                                                  File size:493'056 bytes
                                                  MD5 hash:EA495DD5EEB51BC22024728189EEC9F5
                                                  Has elevated privileges:true
                                                  Has administrator privileges:true
                                                  Programmed in:C, C++ or other language
                                                  Yara matches:
                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4473586206.00000000023EF000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4473372206.00000000008A0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000000.2024475770.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000000.2024475770.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000000.2024475770.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000000.2024475770.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Keylogger_Generic, Description: Yara detected Keylogger Generic, Source: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmp, Author: unknown
                                                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.4473372206.000000000085E000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                                  Reputation:low
                                                  Has exited:false

                                                  Disassembly

                                                  Reset < >

                                                    Execution Graph

                                                    Execution Coverage:4.2%
                                                    Dynamic/Decrypted Code Coverage:0%
                                                    Signature Coverage:23.1%
                                                    Total number of Nodes:1309
                                                    Total number of Limit Nodes:58
                                                    execution_graph 46410 41d4e0 46411 41d4f6 _Yarn ___scrt_fastfail 46410->46411 46413 431fa9 21 API calls 46411->46413 46425 41d6f3 46411->46425 46417 41d6a6 ___scrt_fastfail 46413->46417 46414 41d704 46415 41d744 46414->46415 46423 41d770 46414->46423 46427 431fa9 46414->46427 46417->46415 46418 431fa9 21 API calls 46417->46418 46421 41d6ce ___scrt_fastfail 46418->46421 46420 41d73d ___scrt_fastfail 46420->46415 46432 43265f 46420->46432 46421->46415 46424 431fa9 21 API calls 46421->46424 46423->46415 46435 41d484 21 API calls ___scrt_fastfail 46423->46435 46424->46425 46425->46415 46426 41d081 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 46425->46426 46426->46414 46428 431fb3 46427->46428 46429 431fb7 46427->46429 46428->46420 46436 43a89c 46429->46436 46445 43257f 46432->46445 46434 432667 46434->46423 46435->46415 46440 446b0f _strftime 46436->46440 46437 446b4d 46444 445364 20 API calls __dosmaperr 46437->46444 46439 446b38 RtlAllocateHeap 46439->46440 46441 431fbc 46439->46441 46440->46437 46440->46439 46443 442210 7 API calls 2 library calls 46440->46443 46441->46420 46443->46440 46444->46441 46446 432598 46445->46446 46450 43258e 46445->46450 46447 431fa9 21 API calls 46446->46447 46446->46450 46448 4325b9 46447->46448 46448->46450 46451 43294a CryptAcquireContextA 46448->46451 46450->46434 46452 432966 46451->46452 46453 43296b CryptGenRandom 46451->46453 46452->46450 46453->46452 46454 432980 CryptReleaseContext 46453->46454 46454->46452 46455 426040 46460 426107 recv 46455->46460 46461 44e8c6 46462 44e8d1 46461->46462 46463 44e8f9 46462->46463 46464 44e8ea 46462->46464 46466 44e908 46463->46466 46483 455583 27 API calls 2 library calls 46463->46483 46482 445364 20 API calls __dosmaperr 46464->46482 46470 44b9ce 46466->46470 46469 44e8ef ___scrt_fastfail 46471 44b9e6 46470->46471 46472 44b9db 46470->46472 46474 44b9ee 46471->46474 46480 44b9f7 _strftime 46471->46480 46490 446b0f 21 API calls 3 library calls 46472->46490 46484 446ad5 46474->46484 46475 44ba21 RtlReAllocateHeap 46479 44b9e3 46475->46479 46475->46480 46476 44b9fc 46491 445364 20 API calls __dosmaperr 46476->46491 46479->46469 46480->46475 46480->46476 46492 442210 7 API calls 2 library calls 46480->46492 46482->46469 46483->46466 46485 446ae0 RtlFreeHeap 46484->46485 46486 446b09 __dosmaperr 46484->46486 46485->46486 46487 446af5 46485->46487 46486->46479 46493 445364 20 API calls __dosmaperr 46487->46493 46489 446afb GetLastError 46489->46486 46490->46479 46491->46479 46492->46480 46493->46489 46494 4260a1 46499 42611e send 46494->46499 46500 425e66 46501 425e7b 46500->46501 46512 425f1b 46500->46512 46502 425f35 46501->46502 46503 425f6a 46501->46503 46504 425ec9 46501->46504 46505 425f87 46501->46505 46506 425fae 46501->46506 46511 425efe 46501->46511 46501->46512 46528 424364 50 API calls _Yarn 46501->46528 46502->46503 46502->46512 46531 41f085 54 API calls 46502->46531 46503->46505 46532 424b8b 21 API calls 46503->46532 46504->46511 46504->46512 46529 41f085 54 API calls 46504->46529 46505->46506 46505->46512 46516 424f88 46505->46516 46506->46512 46533 4255d7 28 API calls 46506->46533 46511->46502 46511->46512 46530 424364 50 API calls _Yarn 46511->46530 46517 424fa7 ___scrt_fastfail 46516->46517 46519 424fb6 46517->46519 46523 424fdb 46517->46523 46534 41e0a7 21 API calls 46517->46534 46519->46523 46527 424fbb 46519->46527 46535 41fae4 47 API calls 46519->46535 46522 424fc4 46522->46523 46537 424195 21 API calls 2 library calls 46522->46537 46523->46506 46525 42505e 46525->46523 46526 431fa9 21 API calls 46525->46526 46526->46527 46527->46522 46527->46523 46536 41cf7e 50 API calls 46527->46536 46528->46504 46529->46504 46530->46502 46531->46502 46532->46505 46533->46512 46534->46519 46535->46525 46536->46522 46537->46523 46538 43a9a8 46540 43a9b4 _swprintf __FrameHandler3::FrameUnwindToState 46538->46540 46539 43a9c2 46556 445364 20 API calls __dosmaperr 46539->46556 46540->46539 46543 43a9ec 46540->46543 46542 43a9c7 46557 43a837 26 API calls _Deallocate 46542->46557 46551 444adc EnterCriticalSection 46543->46551 46546 43a9f7 46552 43aa98 46546->46552 46549 43a9d2 __fread_nolock 46551->46546 46554 43aaa6 46552->46554 46553 43aa02 46558 43aa1f LeaveCriticalSection std::_Lockit::~_Lockit 46553->46558 46554->46553 46559 448426 39 API calls 2 library calls 46554->46559 46556->46542 46557->46549 46558->46549 46559->46554 46560 414dba 46575 41a52b 46560->46575 46562 414dc3 46585 401fbd 46562->46585 46566 414dde 46567 4161f2 46566->46567 46590 401eea 46566->46590 46594 401d8c 46567->46594 46570 4161fb 46571 401eea 26 API calls 46570->46571 46572 416207 46571->46572 46573 401eea 26 API calls 46572->46573 46574 416213 46573->46574 46576 41a539 46575->46576 46577 43a89c _Yarn 21 API calls 46576->46577 46578 41a543 InternetOpenW InternetOpenUrlW 46577->46578 46579 41a56c InternetReadFile 46578->46579 46583 41a58f 46579->46583 46580 41a5bc InternetCloseHandle InternetCloseHandle 46582 41a5ce 46580->46582 46582->46562 46583->46579 46583->46580 46584 401eea 26 API calls 46583->46584 46600 401f86 46583->46600 46584->46583 46586 401fcc 46585->46586 46609 402501 46586->46609 46588 401fea 46589 404468 60 API calls _Yarn 46588->46589 46589->46566 46592 4021b9 46590->46592 46591 4021e8 46591->46567 46592->46591 46614 40262e 26 API calls _Deallocate 46592->46614 46595 40200a 46594->46595 46599 40203a 46595->46599 46615 402654 26 API calls 46595->46615 46597 40202b 46616 4026ba 26 API calls _Deallocate 46597->46616 46599->46570 46601 401f8e 46600->46601 46604 402325 46601->46604 46603 401fa4 46603->46583 46605 40232f 46604->46605 46607 40233a 46605->46607 46608 40294a 28 API calls 46605->46608 46607->46603 46608->46607 46610 40250d 46609->46610 46612 40252b 46610->46612 46613 40261a 28 API calls 46610->46613 46612->46588 46613->46612 46614->46591 46615->46597 46616->46599 46617 4339ce 46618 4339da __FrameHandler3::FrameUnwindToState 46617->46618 46649 4336c3 46618->46649 46620 4339e1 46621 433b34 46620->46621 46624 433a0b 46620->46624 46949 433b54 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46621->46949 46623 433b3b 46950 4426ce 28 API calls _abort 46623->46950 46636 433a4a ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46624->46636 46943 4434e1 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 46624->46943 46626 433b41 46951 442680 28 API calls _abort 46626->46951 46629 433a24 46631 433a2a 46629->46631 46944 443485 5 API calls __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 46629->46944 46630 433b49 46633 433aab 46660 433c6e 46633->46660 46636->46633 46945 43ee04 38 API calls 3 library calls 46636->46945 46643 433acd 46643->46623 46644 433ad1 46643->46644 46645 433ada 46644->46645 46947 442671 28 API calls _abort 46644->46947 46948 433852 13 API calls 2 library calls 46645->46948 46648 433ae2 46648->46631 46650 4336cc 46649->46650 46952 433e1a IsProcessorFeaturePresent 46650->46952 46652 4336d8 46953 4379fe 10 API calls 3 library calls 46652->46953 46654 4336e1 46654->46620 46655 4336dd 46655->46654 46954 44336e IsProcessorFeaturePresent SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46655->46954 46657 4336ea 46658 4336f8 46657->46658 46955 437a27 8 API calls 3 library calls 46657->46955 46658->46620 46956 436060 46660->46956 46663 433ab1 46664 443432 46663->46664 46958 44ddd9 46664->46958 46666 44343b 46668 433aba 46666->46668 46962 44e0e3 38 API calls 46666->46962 46669 40d767 46668->46669 46964 41bcf3 LoadLibraryA GetProcAddress 46669->46964 46671 40d783 GetModuleFileNameW 46969 40e168 46671->46969 46673 40d79f 46674 401fbd 28 API calls 46673->46674 46675 40d7ae 46674->46675 46676 401fbd 28 API calls 46675->46676 46677 40d7bd 46676->46677 46984 41afd3 46677->46984 46681 40d7cf 46682 401d8c 26 API calls 46681->46682 46683 40d7d8 46682->46683 46684 40d835 46683->46684 46685 40d7eb 46683->46685 47009 401d64 46684->47009 47263 40e986 111 API calls 46685->47263 46688 40d845 46691 401d64 28 API calls 46688->46691 46689 40d7fd 46690 401d64 28 API calls 46689->46690 46694 40d809 46690->46694 46692 40d864 46691->46692 47014 404cbf 46692->47014 47264 40e937 68 API calls 46694->47264 46695 40d873 47018 405ce6 46695->47018 46698 40d824 47265 40e155 68 API calls 46698->47265 46699 40d87f 47021 401eef 46699->47021 46702 40d88b 46703 401eea 26 API calls 46702->46703 46704 40d894 46703->46704 46706 401eea 26 API calls 46704->46706 46705 401eea 26 API calls 46707 40dc9f 46705->46707 46708 40d89d 46706->46708 46946 433ca4 GetModuleHandleW 46707->46946 46709 401d64 28 API calls 46708->46709 46710 40d8a6 46709->46710 47025 401ebd 46710->47025 46712 40d8b1 46713 401d64 28 API calls 46712->46713 46714 40d8ca 46713->46714 46715 401d64 28 API calls 46714->46715 46717 40d8e5 46715->46717 46716 40d946 46719 401d64 28 API calls 46716->46719 46734 40e134 46716->46734 46717->46716 47266 4085b4 46717->47266 46724 40d95d 46719->46724 46720 40d912 46721 401eef 26 API calls 46720->46721 46722 40d91e 46721->46722 46725 401eea 26 API calls 46722->46725 46723 40d9a4 47029 40bed7 46723->47029 46724->46723 46730 4124b7 3 API calls 46724->46730 46726 40d927 46725->46726 47270 4124b7 RegOpenKeyExA 46726->47270 46728 40d9aa 46729 40d82d 46728->46729 47032 41a473 46728->47032 46729->46705 46735 40d988 46730->46735 46733 40d9c5 46736 40da18 46733->46736 47049 40697b 46733->47049 47348 412902 30 API calls 46734->47348 46735->46723 47273 412902 30 API calls 46735->47273 46738 401d64 28 API calls 46736->46738 46741 40da21 46738->46741 46750 40da32 46741->46750 46751 40da2d 46741->46751 46743 40e14a 47349 4112b5 64 API calls ___scrt_fastfail 46743->47349 46745 40d9e4 47274 40699d 30 API calls 46745->47274 46746 40d9ee 46748 401d64 28 API calls 46746->46748 46759 40d9f7 46748->46759 46755 401d64 28 API calls 46750->46755 47277 4069ba CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46751->47277 46752 40d9e9 47275 4064d0 97 API calls 46752->47275 46756 40da3b 46755->46756 47053 41ae18 46756->47053 46758 40da46 47057 401e18 46758->47057 46759->46736 46761 40da13 46759->46761 47276 4064d0 97 API calls 46761->47276 46762 40da51 47061 401e13 46762->47061 46765 40da5a 46766 401d64 28 API calls 46765->46766 46767 40da63 46766->46767 46768 401d64 28 API calls 46767->46768 46769 40da7d 46768->46769 46770 401d64 28 API calls 46769->46770 46771 40da97 46770->46771 46772 401d64 28 API calls 46771->46772 46774 40dab0 46772->46774 46773 40db1d 46775 40db2c 46773->46775 46782 40dcaa ___scrt_fastfail 46773->46782 46774->46773 46776 401d64 28 API calls 46774->46776 46777 40db35 46775->46777 46805 40dbb1 ___scrt_fastfail 46775->46805 46780 40dac5 _wcslen 46776->46780 46778 401d64 28 API calls 46777->46778 46779 40db3e 46778->46779 46781 401d64 28 API calls 46779->46781 46780->46773 46783 401d64 28 API calls 46780->46783 46784 40db50 46781->46784 47337 41265d RegOpenKeyExA 46782->47337 46785 40dae0 46783->46785 46787 401d64 28 API calls 46784->46787 46788 401d64 28 API calls 46785->46788 46789 40db62 46787->46789 46790 40daf5 46788->46790 46792 401d64 28 API calls 46789->46792 47278 40c89e 46790->47278 46791 40dcef 46793 401d64 28 API calls 46791->46793 46794 40db8b 46792->46794 46795 40dd16 46793->46795 46799 401d64 28 API calls 46794->46799 47075 401f66 46795->47075 46798 401e18 26 API calls 46801 40db14 46798->46801 46802 40db9c 46799->46802 46804 401e13 26 API calls 46801->46804 47335 40bc67 46 API calls _wcslen 46802->47335 46803 40dd25 47079 4126d2 RegCreateKeyA 46803->47079 46804->46773 47065 4128a2 46805->47065 46809 40dc45 ctype 46814 401d64 28 API calls 46809->46814 46810 40dbac 46810->46805 46812 401d64 28 API calls 46813 40dd47 46812->46813 47085 43a5f7 46813->47085 46815 40dc5c 46814->46815 46815->46791 46819 40dc70 46815->46819 46818 40dd5e 47340 41bec0 87 API calls ___scrt_fastfail 46818->47340 46821 401d64 28 API calls 46819->46821 46820 40dd81 46825 401f66 28 API calls 46820->46825 46823 40dc7e 46821->46823 46826 41ae18 28 API calls 46823->46826 46824 40dd65 CreateThread 46824->46820 48039 41c97f 10 API calls 46824->48039 46827 40dd96 46825->46827 46828 40dc87 46826->46828 46829 401f66 28 API calls 46827->46829 47336 40e219 112 API calls 46828->47336 46832 40dda5 46829->46832 46831 40dc8c 46831->46791 46834 40dc93 46831->46834 47089 41a696 46832->47089 46834->46729 46836 401d64 28 API calls 46837 40ddb6 46836->46837 46838 401d64 28 API calls 46837->46838 46839 40ddcb 46838->46839 46840 401d64 28 API calls 46839->46840 46841 40ddeb 46840->46841 46842 43a5f7 _strftime 42 API calls 46841->46842 46843 40ddf8 46842->46843 46844 401d64 28 API calls 46843->46844 46845 40de03 46844->46845 46846 401d64 28 API calls 46845->46846 46847 40de14 46846->46847 46848 401d64 28 API calls 46847->46848 46849 40de29 46848->46849 46850 401d64 28 API calls 46849->46850 46851 40de3a 46850->46851 46852 40de41 StrToIntA 46851->46852 47113 409517 46852->47113 46855 401d64 28 API calls 46856 40de5c 46855->46856 46857 40dea1 46856->46857 46858 40de68 46856->46858 46861 401d64 28 API calls 46857->46861 47341 43361d 22 API calls 3 library calls 46858->47341 46860 40de71 46863 401d64 28 API calls 46860->46863 46862 40deb1 46861->46862 46865 40def9 46862->46865 46866 40debd 46862->46866 46864 40de84 46863->46864 46867 40de8b CreateThread 46864->46867 46869 401d64 28 API calls 46865->46869 47342 43361d 22 API calls 3 library calls 46866->47342 46867->46857 48037 419138 109 API calls 2 library calls 46867->48037 46871 40df02 46869->46871 46870 40dec6 46872 401d64 28 API calls 46870->46872 46874 40df6c 46871->46874 46875 40df0e 46871->46875 46873 40ded8 46872->46873 46877 40dedf CreateThread 46873->46877 46878 401d64 28 API calls 46874->46878 46876 401d64 28 API calls 46875->46876 46880 40df1e 46876->46880 46877->46865 48042 419138 109 API calls 2 library calls 46877->48042 46879 40df75 46878->46879 46881 40df81 46879->46881 46882 40dfba 46879->46882 46883 401d64 28 API calls 46880->46883 46885 401d64 28 API calls 46881->46885 47138 41a7b2 GetComputerNameExW GetUserNameW 46882->47138 46886 40df33 46883->46886 46888 40df8a 46885->46888 47343 40c854 32 API calls 46886->47343 46893 401d64 28 API calls 46888->46893 46889 401e18 26 API calls 46890 40dfce 46889->46890 46892 401e13 26 API calls 46890->46892 46895 40dfd7 46892->46895 46896 40df9f 46893->46896 46894 40df46 46897 401e18 26 API calls 46894->46897 46898 40dfe0 SetProcessDEPPolicy 46895->46898 46899 40dfe3 CreateThread 46895->46899 46906 43a5f7 _strftime 42 API calls 46896->46906 46900 40df52 46897->46900 46898->46899 46901 40e004 46899->46901 46902 40dff8 CreateThread 46899->46902 48010 40e54f 46899->48010 46903 401e13 26 API calls 46900->46903 46904 40e019 46901->46904 46905 40e00d CreateThread 46901->46905 46902->46901 48038 410f36 138 API calls 46902->48038 46907 40df5b CreateThread 46903->46907 46909 40e073 46904->46909 46911 401f66 28 API calls 46904->46911 46905->46904 48040 411524 38 API calls ___scrt_fastfail 46905->48040 46908 40dfac 46906->46908 46907->46874 48041 40196b 49 API calls _strftime 46907->48041 47344 40b95c 7 API calls 46908->47344 47149 41246e RegOpenKeyExA 46909->47149 46912 40e046 46911->46912 47345 404c9e 28 API calls 46912->47345 46915 40e053 46917 401f66 28 API calls 46915->46917 46919 40e062 46917->46919 46918 40e12a 47161 40cbac 46918->47161 46923 41a696 79 API calls 46919->46923 46921 41ae18 28 API calls 46922 40e0a4 46921->46922 47152 412584 RegOpenKeyExW 46922->47152 46925 40e067 46923->46925 46927 401eea 26 API calls 46925->46927 46927->46909 46930 401e13 26 API calls 46933 40e0c5 46930->46933 46931 40e0ed DeleteFileW 46932 40e0f4 46931->46932 46931->46933 46935 41ae18 28 API calls 46932->46935 46933->46931 46933->46932 46934 40e0db Sleep 46933->46934 47346 401e07 46934->47346 46937 40e104 46935->46937 47157 41297a RegOpenKeyExW 46937->47157 46939 40e117 46940 401e13 26 API calls 46939->46940 46941 40e121 46940->46941 46942 401e13 26 API calls 46941->46942 46942->46918 46943->46629 46944->46636 46945->46633 46946->46643 46947->46645 46948->46648 46949->46623 46950->46626 46951->46630 46952->46652 46953->46655 46954->46657 46955->46654 46957 433c81 GetStartupInfoW 46956->46957 46957->46663 46959 44ddeb 46958->46959 46960 44dde2 46958->46960 46959->46666 46963 44dcd8 51 API calls 4 library calls 46960->46963 46962->46666 46963->46959 46965 41bd32 LoadLibraryA GetProcAddress 46964->46965 46966 41bd22 GetModuleHandleA GetProcAddress 46964->46966 46967 41bd5b 32 API calls 46965->46967 46968 41bd4b LoadLibraryA GetProcAddress 46965->46968 46966->46965 46967->46671 46968->46967 47350 41a64f FindResourceA 46969->47350 46972 43a89c _Yarn 21 API calls 46973 40e192 _Yarn 46972->46973 46974 401f86 28 API calls 46973->46974 46975 40e1ad 46974->46975 46976 401eef 26 API calls 46975->46976 46977 40e1b8 46976->46977 46978 401eea 26 API calls 46977->46978 46979 40e1c1 46978->46979 46980 43a89c _Yarn 21 API calls 46979->46980 46981 40e1d2 _Yarn 46980->46981 47353 406052 46981->47353 46983 40e205 46983->46673 47001 41afe6 46984->47001 46985 401eea 26 API calls 46986 41b088 46985->46986 46987 401eea 26 API calls 46986->46987 46989 41b090 46987->46989 46988 41b058 46990 403b60 28 API calls 46988->46990 46992 401eea 26 API calls 46989->46992 46993 41b064 46990->46993 46994 40d7c6 46992->46994 46995 401eef 26 API calls 46993->46995 47005 40e8bd 46994->47005 46997 41b06d 46995->46997 46996 401eef 26 API calls 46996->47001 46998 401eea 26 API calls 46997->46998 47000 41b075 46998->47000 46999 401eea 26 API calls 46999->47001 47360 41bfb9 28 API calls 47000->47360 47001->46988 47001->46996 47001->46999 47004 41b056 47001->47004 47356 403b60 47001->47356 47359 41bfb9 28 API calls 47001->47359 47004->46985 47006 40e8ca 47005->47006 47008 40e8da 47006->47008 47377 40200a 26 API calls 47006->47377 47008->46681 47010 401d6c 47009->47010 47011 401d74 47010->47011 47378 401fff 28 API calls 47010->47378 47011->46688 47015 404ccb 47014->47015 47379 402e78 47015->47379 47017 404cee 47017->46695 47388 404bc4 47018->47388 47020 405cf4 47020->46699 47022 401efe 47021->47022 47024 401f0a 47022->47024 47397 4021b9 26 API calls 47022->47397 47024->46702 47027 401ec9 47025->47027 47026 401ee4 47026->46712 47027->47026 47028 402325 28 API calls 47027->47028 47028->47026 47398 401e8f 47029->47398 47031 40bee1 CreateMutexA GetLastError 47031->46728 47400 41b16b 47032->47400 47034 41a481 47404 412513 RegOpenKeyExA 47034->47404 47037 401eef 26 API calls 47038 41a4af 47037->47038 47039 401eea 26 API calls 47038->47039 47040 41a4b7 47039->47040 47041 412513 31 API calls 47040->47041 47042 41a50a 47040->47042 47043 41a4dd 47041->47043 47042->46733 47044 41a4e8 StrToIntA 47043->47044 47045 41a4ff 47044->47045 47046 41a4f6 47044->47046 47048 401eea 26 API calls 47045->47048 47409 41c112 28 API calls 47046->47409 47048->47042 47050 40698f 47049->47050 47051 4124b7 3 API calls 47050->47051 47052 406996 47051->47052 47052->46745 47052->46746 47054 41ae2c 47053->47054 47410 40b027 47054->47410 47056 41ae34 47056->46758 47058 401e27 47057->47058 47060 401e33 47058->47060 47419 402121 26 API calls 47058->47419 47060->46762 47062 402121 47061->47062 47063 402150 47062->47063 47420 402718 26 API calls _Deallocate 47062->47420 47063->46765 47066 4128c0 47065->47066 47067 406052 28 API calls 47066->47067 47068 4128d5 47067->47068 47069 401fbd 28 API calls 47068->47069 47070 4128e5 47069->47070 47071 4126d2 29 API calls 47070->47071 47072 4128ef 47071->47072 47073 401eea 26 API calls 47072->47073 47074 4128fc 47073->47074 47074->46809 47076 401f6e 47075->47076 47421 402301 47076->47421 47080 412722 47079->47080 47082 4126eb 47079->47082 47081 401eea 26 API calls 47080->47081 47083 40dd3b 47081->47083 47084 4126fd RegSetValueExA RegCloseKey 47082->47084 47083->46812 47084->47080 47086 43a610 _strftime 47085->47086 47425 43994e 47086->47425 47090 41a747 47089->47090 47091 41a6ac GetLocalTime 47089->47091 47093 401eea 26 API calls 47090->47093 47092 404cbf 28 API calls 47091->47092 47094 41a6ee 47092->47094 47095 41a74f 47093->47095 47096 405ce6 28 API calls 47094->47096 47097 401eea 26 API calls 47095->47097 47099 41a6fa 47096->47099 47098 40ddaa 47097->47098 47098->46836 47459 4027cb 47099->47459 47101 41a706 47102 405ce6 28 API calls 47101->47102 47103 41a712 47102->47103 47462 406478 76 API calls 47103->47462 47105 41a720 47106 401eea 26 API calls 47105->47106 47107 41a72c 47106->47107 47108 401eea 26 API calls 47107->47108 47109 41a735 47108->47109 47110 401eea 26 API calls 47109->47110 47111 41a73e 47110->47111 47112 401eea 26 API calls 47111->47112 47112->47090 47114 409536 _wcslen 47113->47114 47115 409541 47114->47115 47116 409558 47114->47116 47117 40c89e 32 API calls 47115->47117 47118 40c89e 32 API calls 47116->47118 47119 409549 47117->47119 47120 409560 47118->47120 47121 401e18 26 API calls 47119->47121 47122 401e18 26 API calls 47120->47122 47137 409553 47121->47137 47123 40956e 47122->47123 47124 401e13 26 API calls 47123->47124 47125 409576 47124->47125 47482 40856b 28 API calls 47125->47482 47126 401e13 26 API calls 47128 4095ad 47126->47128 47467 409837 47128->47467 47129 409588 47483 4028cf 47129->47483 47133 409593 47134 401e18 26 API calls 47133->47134 47135 40959d 47134->47135 47136 401e13 26 API calls 47135->47136 47136->47137 47137->47126 47662 403b40 47138->47662 47142 41a80d 47143 4028cf 28 API calls 47142->47143 47144 41a817 47143->47144 47145 401e13 26 API calls 47144->47145 47146 41a820 47145->47146 47147 401e13 26 API calls 47146->47147 47148 40dfc3 47147->47148 47148->46889 47150 41248f RegQueryValueExA RegCloseKey 47149->47150 47151 40e08b 47149->47151 47150->47151 47151->46918 47151->46921 47153 4125b0 RegQueryValueExW RegCloseKey 47152->47153 47154 4125dd 47152->47154 47153->47154 47155 403b40 28 API calls 47154->47155 47156 40e0ba 47155->47156 47156->46930 47158 412992 RegDeleteValueW 47157->47158 47159 4129a6 47157->47159 47158->47159 47160 4129a2 47158->47160 47159->46939 47160->46939 47162 40cbc5 47161->47162 47163 41246e 3 API calls 47162->47163 47164 40cbcc 47163->47164 47168 40cbeb 47164->47168 47684 401602 47164->47684 47166 40cbd9 47687 4127d5 RegCreateKeyA 47166->47687 47169 413fd4 47168->47169 47170 413feb 47169->47170 47704 41aa83 47170->47704 47172 413ff6 47173 401d64 28 API calls 47172->47173 47174 41400f 47173->47174 47175 43a5f7 _strftime 42 API calls 47174->47175 47176 41401c 47175->47176 47177 414021 Sleep 47176->47177 47178 41402e 47176->47178 47177->47178 47179 401f66 28 API calls 47178->47179 47180 41403d 47179->47180 47181 401d64 28 API calls 47180->47181 47182 41404b 47181->47182 47183 401fbd 28 API calls 47182->47183 47184 414053 47183->47184 47185 41afd3 28 API calls 47184->47185 47186 41405b 47185->47186 47708 404262 WSAStartup 47186->47708 47188 414065 47189 401d64 28 API calls 47188->47189 47190 41406e 47189->47190 47191 401d64 28 API calls 47190->47191 47239 4140ed 47190->47239 47192 414087 47191->47192 47193 401d64 28 API calls 47192->47193 47195 414098 47193->47195 47194 401fbd 28 API calls 47194->47239 47197 401d64 28 API calls 47195->47197 47196 41afd3 28 API calls 47196->47239 47198 4140a9 47197->47198 47201 401d64 28 API calls 47198->47201 47199 401d64 28 API calls 47199->47239 47200 4085b4 28 API calls 47200->47239 47202 4140ba 47201->47202 47204 401d64 28 API calls 47202->47204 47203 401eef 26 API calls 47203->47239 47205 4140cb 47204->47205 47207 401d64 28 API calls 47205->47207 47206 401eea 26 API calls 47206->47239 47208 4140dd 47207->47208 47841 404101 87 API calls 47208->47841 47211 414244 WSAGetLastError 47842 41bc86 30 API calls 47211->47842 47215 401f66 28 API calls 47217 414259 47215->47217 47217->47215 47221 401d64 28 API calls 47217->47221 47222 401d8c 26 API calls 47217->47222 47223 43a5f7 _strftime 42 API calls 47217->47223 47217->47239 47259 41a696 79 API calls 47217->47259 47260 414b22 CreateThread 47217->47260 47261 401eea 26 API calls 47217->47261 47262 401e13 26 API calls 47217->47262 47843 404c9e 28 API calls 47217->47843 47845 40a767 84 API calls 47217->47845 47846 4047eb 98 API calls 47217->47846 47220 404cbf 28 API calls 47220->47239 47221->47217 47222->47217 47225 414b80 Sleep 47223->47225 47224 405ce6 28 API calls 47224->47239 47225->47217 47226 4027cb 28 API calls 47226->47239 47227 401f66 28 API calls 47227->47239 47228 41a696 79 API calls 47228->47239 47231 4082dc 28 API calls 47231->47239 47232 440c61 26 API calls 47232->47239 47233 41265d 3 API calls 47233->47239 47234 412513 31 API calls 47234->47239 47235 403b40 28 API calls 47235->47239 47239->47194 47239->47196 47239->47199 47239->47200 47239->47203 47239->47206 47239->47211 47239->47217 47239->47220 47239->47224 47239->47226 47239->47227 47239->47228 47239->47231 47239->47232 47239->47233 47239->47234 47239->47235 47240 41ad56 28 API calls 47239->47240 47241 401d64 28 API calls 47239->47241 47709 413f9a 47239->47709 47714 4041f1 47239->47714 47721 404915 47239->47721 47736 40428c connect 47239->47736 47796 41a97d 47239->47796 47799 413683 47239->47799 47802 40cbf1 47239->47802 47808 41adfe 47239->47808 47811 41aed8 47239->47811 47240->47239 47242 4144ed GetTickCount 47241->47242 47243 41ad56 28 API calls 47242->47243 47254 414507 47243->47254 47245 41ad56 28 API calls 47245->47254 47248 41aed8 28 API calls 47248->47254 47250 405ce6 28 API calls 47250->47254 47251 40275c 28 API calls 47251->47254 47252 4027cb 28 API calls 47252->47254 47254->47245 47254->47248 47254->47250 47254->47251 47254->47252 47255 401eea 26 API calls 47254->47255 47256 401e13 26 API calls 47254->47256 47815 41acb0 GetLastInputInfo GetTickCount 47254->47815 47816 41ac62 47254->47816 47821 40e679 GetLocaleInfoA 47254->47821 47824 4027ec 28 API calls 47254->47824 47825 4045d5 47254->47825 47844 404468 60 API calls _Yarn 47254->47844 47255->47254 47256->47254 47259->47217 47260->47217 48003 419e99 104 API calls 47260->48003 47261->47217 47262->47217 47263->46689 47264->46698 47267 4085c0 47266->47267 47268 402e78 28 API calls 47267->47268 47269 4085e4 47268->47269 47269->46720 47271 4124e1 RegQueryValueExA RegCloseKey 47270->47271 47272 41250b 47270->47272 47271->47272 47272->46716 47273->46723 47274->46752 47275->46746 47276->46736 47277->46750 47279 40c8ba 47278->47279 47280 40c8da 47279->47280 47281 40c90f 47279->47281 47282 40c8d0 47279->47282 48004 41a75b 29 API calls 47280->48004 47285 41b16b 2 API calls 47281->47285 47284 40ca03 GetLongPathNameW 47282->47284 47287 403b40 28 API calls 47284->47287 47288 40c914 47285->47288 47286 40c8e3 47289 401e18 26 API calls 47286->47289 47290 40ca18 47287->47290 47291 40c918 47288->47291 47292 40c96a 47288->47292 47330 40c8ed 47289->47330 47293 403b40 28 API calls 47290->47293 47295 403b40 28 API calls 47291->47295 47294 403b40 28 API calls 47292->47294 47297 40ca27 47293->47297 47298 40c978 47294->47298 47296 40c926 47295->47296 47304 403b40 28 API calls 47296->47304 48007 40cc37 28 API calls 47297->48007 47303 403b40 28 API calls 47298->47303 47299 401e13 26 API calls 47299->47282 47301 40ca3a 48008 402860 28 API calls 47301->48008 47306 40c98e 47303->47306 47307 40c93c 47304->47307 47305 40ca45 48009 402860 28 API calls 47305->48009 48006 402860 28 API calls 47306->48006 48005 402860 28 API calls 47307->48005 47311 40ca4f 47314 401e13 26 API calls 47311->47314 47312 40c999 47315 401e18 26 API calls 47312->47315 47313 40c947 47316 401e18 26 API calls 47313->47316 47317 40ca59 47314->47317 47318 40c9a4 47315->47318 47319 40c952 47316->47319 47320 401e13 26 API calls 47317->47320 47321 401e13 26 API calls 47318->47321 47322 401e13 26 API calls 47319->47322 47323 40ca62 47320->47323 47324 40c9ad 47321->47324 47325 40c95b 47322->47325 47326 401e13 26 API calls 47323->47326 47327 401e13 26 API calls 47324->47327 47328 401e13 26 API calls 47325->47328 47329 40ca6b 47326->47329 47327->47330 47328->47330 47331 401e13 26 API calls 47329->47331 47330->47299 47332 40ca74 47331->47332 47333 401e13 26 API calls 47332->47333 47334 40ca7d 47333->47334 47334->46798 47335->46810 47336->46831 47338 412683 RegQueryValueExA RegCloseKey 47337->47338 47339 4126a7 47337->47339 47338->47339 47339->46791 47340->46824 47341->46860 47342->46870 47343->46894 47344->46882 47345->46915 47347 401e0c 47346->47347 47348->46743 47351 40e183 47350->47351 47352 41a66c LoadResource LockResource SizeofResource 47350->47352 47351->46972 47352->47351 47354 401f86 28 API calls 47353->47354 47355 406066 47354->47355 47355->46983 47361 403c30 47356->47361 47359->47001 47360->47004 47362 403c39 47361->47362 47365 403c59 47362->47365 47366 403c68 47365->47366 47371 4032a4 47366->47371 47368 403c74 47369 402325 28 API calls 47368->47369 47370 403b73 47369->47370 47370->47001 47372 4032b0 47371->47372 47373 4032ad 47371->47373 47376 4032b6 28 API calls 47372->47376 47373->47368 47377->47008 47381 402e85 47379->47381 47380 402ea9 47380->47017 47381->47380 47382 402e98 47381->47382 47384 402eae 47381->47384 47386 403445 28 API calls 47382->47386 47384->47380 47387 40225b 26 API calls 47384->47387 47386->47380 47387->47380 47389 404bd0 47388->47389 47392 40245c 47389->47392 47391 404be4 47391->47020 47393 402469 47392->47393 47395 402478 47393->47395 47396 402ad3 28 API calls 47393->47396 47395->47391 47396->47395 47397->47024 47399 401e94 47398->47399 47401 41b193 47400->47401 47402 41b178 GetCurrentProcess IsWow64Process 47400->47402 47401->47034 47402->47401 47403 41b18f 47402->47403 47403->47034 47405 412541 RegQueryValueExA RegCloseKey 47404->47405 47406 412569 47404->47406 47405->47406 47407 401f66 28 API calls 47406->47407 47408 41257e 47407->47408 47408->47037 47409->47045 47411 40b02f 47410->47411 47414 40b04b 47411->47414 47413 40b045 47413->47056 47415 40b055 47414->47415 47417 40b060 47415->47417 47418 40b138 28 API calls 47415->47418 47417->47413 47418->47417 47419->47060 47420->47063 47422 40230d 47421->47422 47423 402325 28 API calls 47422->47423 47424 401f80 47423->47424 47424->46803 47443 43a555 47425->47443 47427 43999b 47452 4392ee 38 API calls 2 library calls 47427->47452 47428 439960 47428->47427 47429 439975 47428->47429 47442 40dd54 47428->47442 47450 445364 20 API calls __dosmaperr 47429->47450 47432 43997a 47451 43a837 26 API calls _Deallocate 47432->47451 47433 4399a7 47436 4399d6 47433->47436 47453 43a59a 42 API calls __Tolower 47433->47453 47439 439a42 47436->47439 47454 43a501 26 API calls 2 library calls 47436->47454 47455 43a501 26 API calls 2 library calls 47439->47455 47440 439b09 _strftime 47440->47442 47456 445364 20 API calls __dosmaperr 47440->47456 47442->46818 47442->46820 47444 43a55a 47443->47444 47445 43a56d 47443->47445 47457 445364 20 API calls __dosmaperr 47444->47457 47445->47428 47447 43a55f 47458 43a837 26 API calls _Deallocate 47447->47458 47449 43a56a 47449->47428 47450->47432 47451->47442 47452->47433 47453->47433 47454->47439 47455->47440 47456->47442 47457->47447 47458->47449 47463 401e9b 47459->47463 47461 4027d9 47461->47101 47462->47105 47464 401ea7 47463->47464 47465 40245c 28 API calls 47464->47465 47466 401eb9 47465->47466 47466->47461 47468 409855 47467->47468 47469 4124b7 3 API calls 47468->47469 47470 40985c 47469->47470 47471 409870 47470->47471 47472 40988a 47470->47472 47473 4095cf 47471->47473 47474 409875 47471->47474 47486 4082dc 47472->47486 47473->46855 47477 4082dc 28 API calls 47474->47477 47479 409883 47477->47479 47512 409959 29 API calls 47479->47512 47481 409888 47481->47473 47482->47129 47653 402d8b 47483->47653 47485 4028dd 47485->47133 47487 4082eb 47486->47487 47513 408431 47487->47513 47489 408309 47490 4098a5 47489->47490 47518 40affa 47490->47518 47493 4098f6 47496 401f66 28 API calls 47493->47496 47494 4098ce 47495 401f66 28 API calls 47494->47495 47497 4098d8 47495->47497 47498 409901 47496->47498 47500 41ae18 28 API calls 47497->47500 47499 401f66 28 API calls 47498->47499 47501 409910 47499->47501 47502 4098e6 47500->47502 47503 41a696 79 API calls 47501->47503 47522 40a876 31 API calls _Yarn 47502->47522 47505 409915 CreateThread 47503->47505 47507 409930 CreateThread 47505->47507 47508 40993c CreateThread 47505->47508 47534 4099a9 47505->47534 47506 4098ed 47509 401eea 26 API calls 47506->47509 47507->47508 47531 409993 47507->47531 47510 401e13 26 API calls 47508->47510 47528 4099b5 47508->47528 47509->47493 47511 409950 47510->47511 47511->47473 47512->47481 47652 40999f 136 API calls 47512->47652 47514 40843d 47513->47514 47516 40845b 47514->47516 47517 402f0d 28 API calls 47514->47517 47516->47489 47517->47516 47520 40b006 47518->47520 47519 4098c3 47519->47493 47519->47494 47520->47519 47523 403b9e 47520->47523 47522->47506 47524 403ba8 47523->47524 47526 403bb3 47524->47526 47527 403cfd 28 API calls 47524->47527 47526->47519 47527->47526 47537 40a3f4 47528->47537 47586 4099e4 47531->47586 47607 409e48 47534->47607 47543 40a402 47537->47543 47538 4099be 47539 40a45c Sleep GetForegroundWindow GetWindowTextLengthW 47540 40b027 28 API calls 47539->47540 47540->47543 47543->47538 47543->47539 47545 41acb0 GetLastInputInfo GetTickCount 47543->47545 47546 40a4a2 GetWindowTextW 47543->47546 47548 401e13 26 API calls 47543->47548 47549 40a5ff 47543->47549 47550 40affa 28 API calls 47543->47550 47552 40a569 Sleep 47543->47552 47555 401f66 28 API calls 47543->47555 47556 40a4f1 47543->47556 47560 405ce6 28 API calls 47543->47560 47562 4028cf 28 API calls 47543->47562 47563 41ae18 28 API calls 47543->47563 47564 409d58 27 API calls 47543->47564 47565 401eea 26 API calls 47543->47565 47566 433529 5 API calls __Init_thread_wait 47543->47566 47567 4338b5 29 API calls __onexit 47543->47567 47568 4334df EnterCriticalSection LeaveCriticalSection SetEvent ResetEvent 47543->47568 47569 4082a8 28 API calls 47543->47569 47571 40b0dd 28 API calls 47543->47571 47572 40ae58 44 API calls 2 library calls 47543->47572 47573 440c61 47543->47573 47577 404c9e 28 API calls 47543->47577 47545->47543 47546->47543 47548->47543 47551 401e13 26 API calls 47549->47551 47550->47543 47551->47538 47552->47543 47555->47543 47556->47543 47558 4082dc 28 API calls 47556->47558 47570 40a876 31 API calls _Yarn 47556->47570 47558->47556 47560->47543 47562->47543 47563->47543 47564->47543 47565->47543 47566->47543 47567->47543 47568->47543 47569->47543 47570->47556 47571->47543 47572->47543 47574 440c6d 47573->47574 47578 440a5d 47574->47578 47577->47543 47579 440a74 47578->47579 47583 440ab5 47579->47583 47584 445364 20 API calls __dosmaperr 47579->47584 47581 440aab 47585 43a837 26 API calls _Deallocate 47581->47585 47583->47543 47584->47581 47585->47583 47587 409a63 GetMessageA 47586->47587 47588 4099ff GetModuleHandleA SetWindowsHookExA 47586->47588 47589 409a75 TranslateMessage DispatchMessageA 47587->47589 47600 40999c 47587->47600 47588->47587 47590 409a1b GetLastError 47588->47590 47589->47587 47589->47600 47601 41ad56 47590->47601 47594 409a3e 47595 401f66 28 API calls 47594->47595 47596 409a4d 47595->47596 47597 41a696 79 API calls 47596->47597 47598 409a52 47597->47598 47599 401eea 26 API calls 47598->47599 47599->47600 47602 440c61 26 API calls 47601->47602 47603 41ad77 47602->47603 47604 401f66 28 API calls 47603->47604 47605 409a31 47604->47605 47606 404c9e 28 API calls 47605->47606 47606->47594 47608 409e5d Sleep 47607->47608 47627 409d97 47608->47627 47610 4099b2 47611 409eae GetFileAttributesW 47614 409e6f 47611->47614 47612 409e9d CreateDirectoryW 47612->47614 47613 409ec5 SetFileAttributesW 47613->47614 47614->47608 47614->47610 47614->47611 47614->47612 47614->47613 47617 401d64 28 API calls 47614->47617 47618 409f10 47614->47618 47640 41b59f 47614->47640 47616 409f3f PathFileExistsW 47616->47618 47617->47614 47618->47616 47620 401f86 28 API calls 47618->47620 47621 40a048 SetFileAttributesW 47618->47621 47622 406052 28 API calls 47618->47622 47623 401eef 26 API calls 47618->47623 47624 401eea 26 API calls 47618->47624 47626 401eea 26 API calls 47618->47626 47649 41b62a 32 API calls 47618->47649 47650 41b697 CreateFileW SetFilePointer WriteFile CloseHandle 47618->47650 47620->47618 47621->47614 47622->47618 47623->47618 47624->47618 47626->47614 47628 409e44 47627->47628 47631 409dad 47627->47631 47628->47614 47629 409dcc CreateFileW 47630 409dda GetFileSize 47629->47630 47629->47631 47630->47631 47632 409e0f CloseHandle 47630->47632 47631->47629 47631->47632 47633 409e21 47631->47633 47634 409e04 Sleep 47631->47634 47635 409dfd 47631->47635 47632->47631 47633->47628 47637 4082dc 28 API calls 47633->47637 47634->47632 47651 40a7f0 83 API calls 47635->47651 47638 409e3d 47637->47638 47639 4098a5 127 API calls 47638->47639 47639->47628 47641 41b5b2 CreateFileW 47640->47641 47643 41b5eb 47641->47643 47644 41b5ef 47641->47644 47643->47614 47645 41b606 WriteFile 47644->47645 47646 41b5f6 SetFilePointer 47644->47646 47647 41b61b CloseHandle 47645->47647 47648 41b619 47645->47648 47646->47645 47646->47647 47647->47643 47648->47647 47649->47618 47650->47618 47651->47634 47654 402d97 47653->47654 47657 4030f7 47654->47657 47656 402dab 47656->47485 47658 403101 47657->47658 47660 403115 47658->47660 47661 4036c2 28 API calls 47658->47661 47660->47656 47661->47660 47663 403b48 47662->47663 47669 403b7a 47663->47669 47666 403cbb 47673 403dc2 47666->47673 47668 403cc9 47668->47142 47670 403b86 47669->47670 47671 403b9e 28 API calls 47670->47671 47672 403b5a 47671->47672 47672->47666 47674 403dce 47673->47674 47677 402ffd 47674->47677 47676 403de3 47676->47668 47678 40300e 47677->47678 47679 4032a4 28 API calls 47678->47679 47680 40301a 47679->47680 47682 40302e 47680->47682 47683 4035e8 28 API calls 47680->47683 47682->47676 47683->47682 47690 4395ca 47684->47690 47688 412814 47687->47688 47689 4127ed RegSetValueExA RegCloseKey 47687->47689 47688->47168 47689->47688 47693 43954b 47690->47693 47692 401608 47692->47166 47694 43955a 47693->47694 47695 43956e 47693->47695 47701 445364 20 API calls __dosmaperr 47694->47701 47700 43956a __alldvrm 47695->47700 47703 447611 11 API calls 2 library calls 47695->47703 47697 43955f 47702 43a837 26 API calls _Deallocate 47697->47702 47700->47692 47701->47697 47702->47700 47703->47700 47707 41aac9 _Yarn ___scrt_fastfail 47704->47707 47705 401f66 28 API calls 47706 41ab3e 47705->47706 47706->47172 47707->47705 47708->47188 47710 413fb3 getaddrinfo WSASetLastError 47709->47710 47711 413fa9 47709->47711 47710->47239 47847 413e37 35 API calls ___std_exception_copy 47711->47847 47713 413fae 47713->47710 47715 404206 socket 47714->47715 47716 4041fd 47714->47716 47718 404220 47715->47718 47719 404224 CreateEventW 47715->47719 47848 404262 WSAStartup 47716->47848 47718->47239 47719->47239 47720 404202 47720->47715 47720->47718 47722 4049b1 47721->47722 47723 40492a 47721->47723 47722->47239 47724 404933 47723->47724 47725 404987 CreateEventA CreateThread 47723->47725 47726 404942 GetLocalTime 47723->47726 47724->47725 47725->47722 47850 404b1d 47725->47850 47727 41ad56 28 API calls 47726->47727 47728 40495b 47727->47728 47849 404c9e 28 API calls 47728->47849 47730 404968 47731 401f66 28 API calls 47730->47731 47732 404977 47731->47732 47733 41a696 79 API calls 47732->47733 47734 40497c 47733->47734 47735 401eea 26 API calls 47734->47735 47735->47725 47737 4043e1 47736->47737 47738 4042b3 47736->47738 47739 4043e7 WSAGetLastError 47737->47739 47740 404343 47737->47740 47738->47740 47742 404cbf 28 API calls 47738->47742 47760 4042e8 47738->47760 47739->47740 47741 4043f7 47739->47741 47740->47239 47743 4043fc 47741->47743 47751 4042f7 47741->47751 47745 4042d4 47742->47745 47859 41bc86 30 API calls 47743->47859 47748 401f66 28 API calls 47745->47748 47747 4042f0 47750 404306 47747->47750 47747->47751 47754 4042e3 47748->47754 47749 40440b 47860 404c9e 28 API calls 47749->47860 47762 404315 47750->47762 47763 40434c 47750->47763 47752 401f66 28 API calls 47751->47752 47753 404448 47752->47753 47756 401f66 28 API calls 47753->47756 47757 41a696 79 API calls 47754->47757 47759 404457 47756->47759 47757->47760 47758 404418 47761 401f66 28 API calls 47758->47761 47764 41a696 79 API calls 47759->47764 47854 420161 27 API calls 47760->47854 47765 404427 47761->47765 47767 401f66 28 API calls 47762->47767 47856 420f44 56 API calls 47763->47856 47764->47740 47768 41a696 79 API calls 47765->47768 47770 404324 47767->47770 47772 40442c 47768->47772 47769 404354 47773 404389 47769->47773 47774 404359 47769->47774 47771 401f66 28 API calls 47770->47771 47775 404333 47771->47775 47777 401eea 26 API calls 47772->47777 47858 4202fa 28 API calls 47773->47858 47778 401f66 28 API calls 47774->47778 47779 41a696 79 API calls 47775->47779 47777->47740 47781 404368 47778->47781 47782 404338 47779->47782 47780 404391 47783 4043be CreateEventW CreateEventW 47780->47783 47785 401f66 28 API calls 47780->47785 47784 401f66 28 API calls 47781->47784 47855 41dc25 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47782->47855 47783->47740 47786 404377 47784->47786 47788 4043a7 47785->47788 47789 41a696 79 API calls 47786->47789 47791 401f66 28 API calls 47788->47791 47790 40437c 47789->47790 47857 4205a2 54 API calls 47790->47857 47793 4043b6 47791->47793 47794 41a696 79 API calls 47793->47794 47795 4043bb 47794->47795 47795->47783 47861 41a955 GlobalMemoryStatusEx 47796->47861 47798 41a992 47798->47239 47862 413646 47799->47862 47803 40cc0d 47802->47803 47804 41246e 3 API calls 47803->47804 47806 40cc14 47804->47806 47805 40cc2c 47805->47239 47806->47805 47807 4124b7 3 API calls 47806->47807 47807->47805 47809 401f86 28 API calls 47808->47809 47810 41ae13 47809->47810 47810->47239 47812 41aee5 47811->47812 47813 401f86 28 API calls 47812->47813 47814 41aef7 47813->47814 47814->47239 47815->47254 47817 436060 ___scrt_fastfail 47816->47817 47818 41ac81 GetForegroundWindow GetWindowTextW 47817->47818 47819 403b40 28 API calls 47818->47819 47820 41acab 47819->47820 47820->47254 47822 401f66 28 API calls 47821->47822 47823 40e69e 47822->47823 47823->47254 47824->47254 47827 4045ec 47825->47827 47826 43a89c _Yarn 21 API calls 47826->47827 47827->47826 47829 40465b 47827->47829 47830 401f86 28 API calls 47827->47830 47832 401eef 26 API calls 47827->47832 47835 401eea 26 API calls 47827->47835 47903 404688 47827->47903 47914 40455b 59 API calls 47827->47914 47829->47827 47831 404666 47829->47831 47830->47827 47915 4047eb 98 API calls 47831->47915 47832->47827 47834 40466d 47836 401eea 26 API calls 47834->47836 47835->47827 47837 404676 47836->47837 47838 401eea 26 API calls 47837->47838 47839 40467f 47838->47839 47839->47217 47841->47239 47842->47217 47843->47217 47844->47254 47845->47217 47846->47217 47847->47713 47848->47720 47849->47730 47853 404b29 101 API calls 47850->47853 47852 404b26 47853->47852 47854->47747 47855->47740 47856->47769 47857->47782 47858->47780 47859->47749 47860->47758 47861->47798 47865 413619 47862->47865 47866 41362e ___scrt_initialize_default_local_stdio_options 47865->47866 47869 43e2ed 47866->47869 47872 43b040 47869->47872 47873 43b080 47872->47873 47874 43b068 47872->47874 47873->47874 47875 43b088 47873->47875 47896 445364 20 API calls __dosmaperr 47874->47896 47898 4392ee 38 API calls 2 library calls 47875->47898 47878 43b06d 47897 43a837 26 API calls _Deallocate 47878->47897 47880 43b098 47899 43b7c6 20 API calls 2 library calls 47880->47899 47883 41363c 47883->47239 47884 43b110 47900 43be34 50 API calls 3 library calls 47884->47900 47887 43b11b 47901 43b830 20 API calls _free 47887->47901 47888 43b078 47889 433d3c 47888->47889 47890 433d47 IsProcessorFeaturePresent 47889->47890 47891 433d45 47889->47891 47893 4341b4 47890->47893 47891->47883 47902 434178 SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 47893->47902 47895 434297 47895->47883 47896->47878 47897->47888 47898->47880 47899->47884 47900->47887 47901->47888 47902->47895 47904 4046a3 47903->47904 47905 4047d8 47904->47905 47908 403b60 28 API calls 47904->47908 47909 401eef 26 API calls 47904->47909 47910 401eea 26 API calls 47904->47910 47911 401ebd 28 API calls 47904->47911 47912 401fbd 28 API calls 47904->47912 47906 401eea 26 API calls 47905->47906 47907 4047e1 47906->47907 47907->47829 47908->47904 47909->47904 47910->47904 47913 404772 CreateEventA CreateThread WaitForSingleObject CloseHandle 47911->47913 47912->47904 47913->47904 47916 414b9b 47913->47916 47914->47827 47915->47834 47917 401fbd 28 API calls 47916->47917 47918 414bbd SetEvent 47917->47918 47919 414bd2 47918->47919 47920 403b60 28 API calls 47919->47920 47921 414bec 47920->47921 47922 401fbd 28 API calls 47921->47922 47923 414bfc 47922->47923 47924 401fbd 28 API calls 47923->47924 47925 414c0e 47924->47925 47926 41afd3 28 API calls 47925->47926 47927 414c17 47926->47927 47928 4161f2 47927->47928 47930 414de3 47927->47930 47931 414c37 GetTickCount 47927->47931 47929 401d8c 26 API calls 47928->47929 47932 4161fb 47929->47932 47930->47928 47990 414d99 47930->47990 47933 41ad56 28 API calls 47931->47933 47934 401eea 26 API calls 47932->47934 47935 414c4d 47933->47935 47937 416207 47934->47937 47995 41acb0 GetLastInputInfo GetTickCount 47935->47995 47940 401eea 26 API calls 47937->47940 47939 414d7d 47939->47928 47942 416213 47940->47942 47941 414c54 47943 41ad56 28 API calls 47941->47943 47944 414c5f 47943->47944 47945 41ac62 30 API calls 47944->47945 47946 414c6d 47945->47946 47947 41aed8 28 API calls 47946->47947 47948 414c7b 47947->47948 47949 401d64 28 API calls 47948->47949 47950 414c89 47949->47950 47996 4027ec 28 API calls 47950->47996 47952 414c97 47997 40275c 28 API calls 47952->47997 47954 414ca6 47955 4027cb 28 API calls 47954->47955 47956 414cb5 47955->47956 47998 40275c 28 API calls 47956->47998 47958 414cc4 47959 4027cb 28 API calls 47958->47959 47960 414cd0 47959->47960 47999 40275c 28 API calls 47960->47999 47962 414cda 48000 404468 60 API calls _Yarn 47962->48000 47964 414ce9 47965 401eea 26 API calls 47964->47965 47966 414cf2 47965->47966 47967 401eea 26 API calls 47966->47967 47968 414cfe 47967->47968 47969 401eea 26 API calls 47968->47969 47970 414d0a 47969->47970 47971 401eea 26 API calls 47970->47971 47972 414d16 47971->47972 47973 401eea 26 API calls 47972->47973 47974 414d22 47973->47974 47975 401eea 26 API calls 47974->47975 47976 414d2e 47975->47976 47977 401e13 26 API calls 47976->47977 47978 414d3a 47977->47978 47979 401eea 26 API calls 47978->47979 47980 414d43 47979->47980 47981 401eea 26 API calls 47980->47981 47982 414d4c 47981->47982 47983 401d64 28 API calls 47982->47983 47984 414d57 47983->47984 47985 43a5f7 _strftime 42 API calls 47984->47985 47986 414d64 47985->47986 47987 414d69 47986->47987 47988 414d8f 47986->47988 47991 414d82 47987->47991 47992 414d77 47987->47992 47989 401d64 28 API calls 47988->47989 47989->47990 47990->47928 48002 404ab1 83 API calls 47990->48002 47993 404915 104 API calls 47991->47993 48001 4049ba 81 API calls 47992->48001 47993->47939 47995->47941 47996->47952 47997->47954 47998->47958 47999->47962 48000->47964 48001->47939 48002->47939 48004->47286 48005->47313 48006->47312 48007->47301 48008->47305 48009->47311 48012 40e56a 48010->48012 48011 4124b7 3 API calls 48011->48012 48012->48011 48014 40e60e 48012->48014 48016 40e5fe Sleep 48012->48016 48031 40e59c 48012->48031 48013 4082dc 28 API calls 48013->48031 48015 4082dc 28 API calls 48014->48015 48018 40e619 48015->48018 48016->48012 48017 41ae18 28 API calls 48017->48031 48020 41ae18 28 API calls 48018->48020 48021 40e625 48020->48021 48045 412774 29 API calls 48021->48045 48024 401e13 26 API calls 48024->48031 48025 40e638 48026 401e13 26 API calls 48025->48026 48028 40e644 48026->48028 48027 401f66 28 API calls 48027->48031 48029 401f66 28 API calls 48028->48029 48030 40e655 48029->48030 48033 4126d2 29 API calls 48030->48033 48031->48013 48031->48016 48031->48017 48031->48024 48031->48027 48032 4126d2 29 API calls 48031->48032 48043 40bf04 73 API calls ___scrt_fastfail 48031->48043 48044 412774 29 API calls 48031->48044 48032->48031 48034 40e668 48033->48034 48046 411699 TerminateProcess WaitForSingleObject 48034->48046 48036 40e670 ExitProcess 48047 411637 61 API calls 48038->48047 48044->48031 48045->48025 48046->48036

                                                    Executed Functions

                                                    Function 0041BCF3 Relevance: 115.6, APIs: 40, Strings: 26, Instructions: 140libraryloaderCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD11
                                                    • GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
                                                    • LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD40
                                                    • LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD54
                                                    • LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                    • LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                    • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BD98
                                                    • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                    • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
                                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
                                                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
                                                    • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                    • GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE08
                                                    • LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE19
                                                    • LoadLibraryA.KERNEL32(kernel32,GetConsoleWindow,?,?,?,?,0040D783), ref: 0041BE26
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE29
                                                    • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040D783), ref: 0041BE3B
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE3E
                                                    • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040D783), ref: 0041BE4B
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE4E
                                                    • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedTcpTable,?,?,?,?,0040D783), ref: 0041BE60
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE63
                                                    • LoadLibraryA.KERNEL32(Iphlpapi,GetExtendedUdpTable,?,?,?,?,0040D783), ref: 0041BE70
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041BE73
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressProc$HandleLibraryLoadModule
                                                    • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetExtendedTcpTable$GetExtendedUdpTable$GetMonitorInfoW$GetProcessImageFileNameW$GetSystemTimes$GlobalMemoryStatusEx$Iphlpapi$IsUserAnAdmin$IsWow64Process$Kernel32$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi$SetProcessDEPPolicy$SetProcessDpiAwareness$Shell32$Shlwapi$kernel32$ntdll$shcore$user32
                                                    • API String ID: 384173800-625181639
                                                    • Opcode ID: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                    • Instruction ID: 9dbe04c74af77a7e1246f7e7b4568b240d3cb110e698a9ec5713b860520f9e80
                                                    • Opcode Fuzzy Hash: 0789f4e3f810de028ed60e0db8f6a6efc83e65cfda48e5b03c752fe52fb7e632
                                                    • Instruction Fuzzy Hash: EC31EEA0E4031C7ADA107FB69C49E5B7E9CD940B953110827B508D3162FB7DA980DEEE
                                                    Function 0040D767 Relevance: 95.3, APIs: 13, Strings: 41, Instructions: 799COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 5 40d767-40d7e9 call 41bcf3 GetModuleFileNameW call 40e168 call 401fbd * 2 call 41afd3 call 40e8bd call 401d8c call 43e830 22 40d835-40d8fd call 401d64 call 401e8f call 401d64 call 404cbf call 405ce6 call 401eef call 401eea * 2 call 401d64 call 401ebd call 40541d call 401d64 call 404bb1 call 401d64 call 404bb1 5->22 23 40d7eb-40d830 call 40e986 call 401d64 call 401e8f call 40fcba call 40e937 call 40e155 5->23 69 40d950-40d96b call 401d64 call 40b125 22->69 70 40d8ff-40d94a call 4085b4 call 401eef call 401eea call 401e8f call 4124b7 22->70 49 40dc96-40dca7 call 401eea 23->49 79 40d9a5-40d9ac call 40bed7 69->79 80 40d96d-40d98c call 401e8f call 4124b7 69->80 70->69 102 40e134-40e154 call 401e8f call 412902 call 4112b5 70->102 88 40d9b5-40d9bc 79->88 89 40d9ae-40d9b0 79->89 80->79 98 40d98e-40d9a4 call 401e8f call 412902 80->98 93 40d9c0-40d9cc call 41a473 88->93 94 40d9be 88->94 92 40dc95 89->92 92->49 103 40d9d5-40d9d9 93->103 104 40d9ce-40d9d0 93->104 94->93 98->79 107 40da18-40da2b call 401d64 call 401e8f 103->107 108 40d9db call 40697b 103->108 104->103 127 40da32-40daba call 401d64 call 41ae18 call 401e18 call 401e13 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f 107->127 128 40da2d call 4069ba 107->128 117 40d9e0-40d9e2 108->117 121 40d9e4-40d9e9 call 40699d call 4064d0 117->121 122 40d9ee-40da01 call 401d64 call 401e8f 117->122 121->122 122->107 138 40da03-40da09 122->138 163 40db22-40db26 127->163 164 40dabc-40dad5 call 401d64 call 401e8f call 43a621 127->164 128->127 138->107 140 40da0b-40da11 138->140 140->107 142 40da13 call 4064d0 140->142 142->107 165 40dcaa-40dd01 call 436060 call 4022f8 call 401e8f * 2 call 41265d call 4082d7 163->165 166 40db2c-40db33 163->166 164->163 188 40dad7-40db1d call 401d64 call 401e8f call 401d64 call 401e8f call 40c89e call 401e18 call 401e13 164->188 219 40dd06-40dd5c call 401d64 call 401e8f call 401f66 call 401e8f call 4126d2 call 401d64 call 401e8f call 43a5f7 165->219 168 40dbb1-40dbbb call 4082d7 166->168 169 40db35-40dbaf call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 40bc67 166->169 178 40dbc0-40dbe4 call 4022f8 call 4338d8 168->178 169->178 196 40dbf3 178->196 197 40dbe6-40dbf1 call 436060 178->197 188->163 202 40dbf5-40dc40 call 401e07 call 43e359 call 4022f8 call 401e8f call 4022f8 call 401e8f call 4128a2 196->202 197->202 257 40dc45-40dc6a call 4338e1 call 401d64 call 40b125 202->257 272 40dd79-40dd7b 219->272 273 40dd5e 219->273 257->219 274 40dc70-40dc91 call 401d64 call 41ae18 call 40e219 257->274 276 40dd81 272->276 277 40dd7d-40dd7f 272->277 275 40dd60-40dd77 call 41bec0 CreateThread 273->275 274->219 292 40dc93 274->292 280 40dd87-40de66 call 401f66 * 2 call 41a696 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 43a5f7 call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f call 401d64 call 401e8f StrToIntA call 409517 call 401d64 call 401e8f 275->280 276->280 277->275 330 40dea1 280->330 331 40de68-40de9f call 43361d call 401d64 call 401e8f CreateThread 280->331 292->92 333 40dea3-40debb call 401d64 call 401e8f 330->333 331->333 342 40def9-40df0c call 401d64 call 401e8f 333->342 343 40debd-40def4 call 43361d call 401d64 call 401e8f CreateThread 333->343 354 40df6c-40df7f call 401d64 call 401e8f 342->354 355 40df0e-40df67 call 401d64 call 401e8f call 401d64 call 401e8f call 40c854 call 401e18 call 401e13 CreateThread 342->355 343->342 365 40df81-40dfb5 call 401d64 call 401e8f call 401d64 call 401e8f call 43a5f7 call 40b95c 354->365 366 40dfba-40dfde call 41a7b2 call 401e18 call 401e13 354->366 355->354 365->366 386 40dfe0-40dfe1 SetProcessDEPPolicy 366->386 387 40dfe3-40dff6 CreateThread 366->387 386->387 390 40e004-40e00b 387->390 391 40dff8-40e002 CreateThread 387->391 394 40e019-40e020 390->394 395 40e00d-40e017 CreateThread 390->395 391->390 398 40e022-40e025 394->398 399 40e033-40e038 394->399 395->394 401 40e073-40e08e call 401e8f call 41246e 398->401 402 40e027-40e031 398->402 404 40e03d-40e06e call 401f66 call 404c9e call 401f66 call 41a696 call 401eea 399->404 414 40e094-40e0d4 call 41ae18 call 401e07 call 412584 call 401e13 call 401e07 401->414 415 40e12a-40e12f call 40cbac call 413fd4 401->415 402->404 404->401 433 40e0ed-40e0f2 DeleteFileW 414->433 415->102 434 40e0f4-40e125 call 41ae18 call 401e07 call 41297a call 401e13 * 2 433->434 435 40e0d6-40e0d9 433->435 434->415 435->434 436 40e0db-40e0e8 Sleep call 401e07 435->436 436->433
                                                    APIs
                                                      • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Psapi,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD08
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD11
                                                      • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(Kernel32,GetProcessImageFileNameW,?,?,?,?,0040D783), ref: 0041BD28
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD2B
                                                      • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD3D
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD40
                                                      • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(user32,SetProcessDpiAwareness,?,?,?,?,0040D783), ref: 0041BD51
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD54
                                                      • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(ntdll,NtUnmapViewOfSection,?,?,?,?,0040D783), ref: 0041BD65
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD68
                                                      • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(kernel32,GlobalMemoryStatusEx,?,?,?,?,0040D783), ref: 0041BD75
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD78
                                                      • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040D783), ref: 0041BD85
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD88
                                                      • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040D783), ref: 0041BD95
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BD98
                                                      • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040D783), ref: 0041BDA9
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDAC
                                                      • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040D783), ref: 0041BDB9
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDBC
                                                      • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040D783), ref: 0041BDCD
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDD0
                                                      • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040D783), ref: 0041BDE1
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDE4
                                                      • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040D783), ref: 0041BDF5
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BDF8
                                                      • Part of subcall function 0041BCF3: GetModuleHandleA.KERNEL32(kernel32,GetSystemTimes,?,?,?,?,0040D783), ref: 0041BE05
                                                      • Part of subcall function 0041BCF3: GetProcAddress.KERNEL32(00000000), ref: 0041BE08
                                                      • Part of subcall function 0041BCF3: LoadLibraryA.KERNEL32(Shlwapi,0000000C,?,?,?,?,0040D783), ref: 0041BE16
                                                    • GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe,00000104), ref: 0040D790
                                                      • Part of subcall function 0040FCBA: __EH_prolog.LIBCMT ref: 0040FCBF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologName
                                                    • String ID: 0DG$@CG$@CG$Access Level: $Administrator$C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe$Exe$Exe$Inj$Remcos Agent initialized$Rmc-I3QM17$Software\$User$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$XCG$`=G$dCG$del$del$exepath$licence$license_code.txt$BG$BG$BG$BG$BG
                                                    • API String ID: 2830904901-304409456
                                                    • Opcode ID: a1e1641ac996dd8d3d4c21876c80dae499284de3cda9a76a993c65e0cbfa66c7
                                                    • Instruction ID: 3e021a1a4b13f59cbd2257f1e4af8b1458c06fff599f70b9144805750af3581d
                                                    • Opcode Fuzzy Hash: a1e1641ac996dd8d3d4c21876c80dae499284de3cda9a76a993c65e0cbfa66c7
                                                    • Instruction Fuzzy Hash: 31329260B043406ADA18B776DC57BBE269A8FC1748F04443FB8467B2E2DE7C9D45839E
                                                    Function 004099E4 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 65windowCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1259 4099e4-4099fd 1260 409a63-409a73 GetMessageA 1259->1260 1261 4099ff-409a19 GetModuleHandleA SetWindowsHookExA 1259->1261 1262 409a75-409a8d TranslateMessage DispatchMessageA 1260->1262 1263 409a8f 1260->1263 1261->1260 1264 409a1b-409a61 GetLastError call 41ad56 call 404c9e call 401f66 call 41a696 call 401eea 1261->1264 1262->1260 1262->1263 1265 409a91-409a96 1263->1265 1264->1265
                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 00409A01
                                                    • SetWindowsHookExA.USER32(0000000D,004099D0,00000000), ref: 00409A0F
                                                    • GetLastError.KERNEL32 ref: 00409A1B
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00409A6B
                                                    • TranslateMessage.USER32(?), ref: 00409A7A
                                                    • DispatchMessageA.USER32(?), ref: 00409A85
                                                    Strings
                                                    • Keylogger initialization failure: error , xrefs: 00409A32
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                                                    • String ID: Keylogger initialization failure: error
                                                    • API String ID: 3219506041-952744263
                                                    • Opcode ID: 1c1c47e8679d2b224dd733d0129ac0d0ac4193f5d3ce86d790f17fa939d258fc
                                                    • Instruction ID: 51093fa3456b5fa5e68b97b38f4420b838fb12217e42543f2b1c539fb4fc9beb
                                                    • Opcode Fuzzy Hash: 1c1c47e8679d2b224dd733d0129ac0d0ac4193f5d3ce86d790f17fa939d258fc
                                                    • Instruction Fuzzy Hash: 281194716043015FC710AB7AAC4996B77ECAB94B15B10057FFC45D2291FB34DE01CBAA
                                                    Function 0040E54F Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 88sleepCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                      • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                      • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                    • Sleep.KERNEL32(00000BB8), ref: 0040E603
                                                    • ExitProcess.KERNEL32 ref: 0040E672
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseExitOpenProcessQuerySleepValue
                                                    • String ID: 5.3.0 Pro$override$pth_unenc$BG
                                                    • API String ID: 2281282204-3981147832
                                                    • Opcode ID: ef5e2cde1c6eacbd3823fb9ed910c6fe3935d25d8f4b30635bdf8653ba33eb6e
                                                    • Instruction ID: 5cf4e9032f47a3efac01ff8ef37086889acd92013af90c8396a8a4e29292548f
                                                    • Opcode Fuzzy Hash: ef5e2cde1c6eacbd3823fb9ed910c6fe3935d25d8f4b30635bdf8653ba33eb6e
                                                    • Instruction Fuzzy Hash: 7B21A131B0031027C608767A891BA6F359A9B91719F90443EF805A72D7EE7D8A6083DF
                                                    Function 00404915 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 60timethreadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1419 404915-404924 1420 4049b1 1419->1420 1421 40492a-404931 1419->1421 1424 4049b3-4049b7 1420->1424 1422 404933-404937 1421->1422 1423 404939-404940 1421->1423 1425 404987-4049af CreateEventA CreateThread 1422->1425 1423->1425 1426 404942-404982 GetLocalTime call 41ad56 call 404c9e call 401f66 call 41a696 call 401eea 1423->1426 1425->1424 1426->1425
                                                    APIs
                                                    • GetLocalTime.KERNEL32(00000001,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404946
                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00473EE8,004745A8,00000000,?,?,?,?,?,00414D8A,?,00000001), ref: 00404994
                                                    • CreateThread.KERNEL32(00000000,00000000,00404B1D,?,00000000,00000000), ref: 004049A7
                                                    Strings
                                                    • KeepAlive | Enabled | Timeout: , xrefs: 0040495C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Create$EventLocalThreadTime
                                                    • String ID: KeepAlive | Enabled | Timeout:
                                                    • API String ID: 2532271599-1507639952
                                                    • Opcode ID: a36eacb2df50b02e654fe97b9ad9f3b4b14a6fc902c8466c71e8a12677958319
                                                    • Instruction ID: b3b3bd05b27f7402d17ec3e4b95caf04d044377deb2a76ff13a13b362c137b93
                                                    • Opcode Fuzzy Hash: a36eacb2df50b02e654fe97b9ad9f3b4b14a6fc902c8466c71e8a12677958319
                                                    • Instruction Fuzzy Hash: C2113AB19042543AC710A7BA8C09BCB7FAC9F86364F04407BF50462192D7789845CBFA
                                                    Function 0043294A Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,?,00000001,004326D2,00000024,?,?,?), ref: 0043295C
                                                    • CryptGenRandom.ADVAPI32(?,?,?,?,?,?,?,?,?,0042CBCE,?), ref: 00432972
                                                    • CryptReleaseContext.ADVAPI32(?,00000000,?,?,?,?,?,?,0042CBCE,?), ref: 00432984
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Crypt$Context$AcquireRandomRelease
                                                    • String ID:
                                                    • API String ID: 1815803762-0
                                                    • Opcode ID: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                    • Instruction ID: 265e42ecfadf18463eab4f7c57cd3d944434f2f899047e0b797dffc1cacfdca9
                                                    • Opcode Fuzzy Hash: 04772303a0a25dfd0b8e93efaf4bd4cd6a07a437a7117abaa9b2762516ca9460
                                                    • Instruction Fuzzy Hash: 06E06531318311BBEB310E21BC08F577AE4AF89B72F650A3AF251E40E4D2A288019A1C
                                                    Function 0041A7B2 Relevance: 3.0, APIs: 2, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetComputerNameExW.KERNEL32(00000001,?,0000002B,00474358), ref: 0041A7CF
                                                    • GetUserNameW.ADVAPI32(?,0040DFC3), ref: 0041A7E7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Name$ComputerUser
                                                    • String ID:
                                                    • API String ID: 4229901323-0
                                                    • Opcode ID: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                                    • Instruction ID: 0a408ea7b536296bc4698588bf682dce528bd2697060893402f21fe22c13e40a
                                                    • Opcode Fuzzy Hash: d080141cef9e3990b2f6bec53120ee530cdf67b1126702e4f13589ad74e7334c
                                                    • Instruction Fuzzy Hash: 8801FF7290011CAADB14EB90DC45ADDBBBCEF44715F10017AB501B21D5EFB4AB898A98
                                                    Function 0040E679 Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,004145AD,00473EE8,00474A30,00473EE8,00000000,00473EE8,?,00473EE8,5.3.0 Pro), ref: 0040E68D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InfoLocale
                                                    • String ID:
                                                    • API String ID: 2299586839-0
                                                    • Opcode ID: 2f0bd58ff2c46692be8fd04023cab22914861fe3b087e1ba55e03f3e1b92ba33
                                                    • Instruction ID: fdf89a5244b67fc368892e36cd71d3b7bc7b33248e42f87f25a9228cb5794c84
                                                    • Opcode Fuzzy Hash: 2f0bd58ff2c46692be8fd04023cab22914861fe3b087e1ba55e03f3e1b92ba33
                                                    • Instruction Fuzzy Hash: E6D05E607002197BEA109291DC0AE9B7A9CE700B66F000165BA01E72C0E9A0AF008AE1
                                                    Function 00426107 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: recv
                                                    • String ID:
                                                    • API String ID: 1507349165-0
                                                    • Opcode ID: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                    • Instruction ID: fbcf0fb35859d26dd0bec2a34c6193cd90ff2e5205aa97c5c9b80f8ed11fde70
                                                    • Opcode Fuzzy Hash: 7e529be0125f3c130d8a14787ec60c5f2794d52df3155d2474e8bb3275198ed8
                                                    • Instruction Fuzzy Hash: 35B09279118202FFCA051B60DC0887ABEBAABCC381F108D2DB586501B0CA37C451AB26
                                                    Function 00413FD4 Relevance: 53.3, APIs: 5, Strings: 25, Instructions: 813sleepnetworkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 447 413fd4-41401f call 401faa call 41aa83 call 401faa call 401d64 call 401e8f call 43a5f7 460 414021-414028 Sleep 447->460 461 41402e-41407c call 401f66 call 401d64 call 401fbd call 41afd3 call 404262 call 401d64 call 40b125 447->461 460->461 476 4140f0-41418a call 401f66 call 401d64 call 401fbd call 41afd3 call 401d64 * 2 call 4085b4 call 4027cb call 401eef call 401eea * 2 call 401d64 call 405422 461->476 477 41407e-4140ed call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 401d64 call 4022f8 call 401d64 call 401e8f call 404101 461->477 530 41419a-4141a1 476->530 531 41418c-414198 476->531 477->476 532 4141a6-414242 call 40541d call 404cbf call 405ce6 call 4027cb call 401f66 call 41a696 call 401eea * 2 call 401d64 call 401e8f call 401d64 call 401e8f call 413f9a 530->532 531->532 559 414244-41428a WSAGetLastError call 41bc86 call 404c9e call 401f66 call 41a696 call 401eea 532->559 560 41428f-41429d call 4041f1 532->560 583 414b54-414b66 call 4047eb call 4020b4 559->583 566 4142ca-4142df call 404915 call 40428c 560->566 567 41429f-4142c5 call 401f66 * 2 call 41a696 560->567 582 4142e5-414432 call 401d64 * 2 call 404cbf call 405ce6 call 4027cb call 405ce6 call 4027cb call 401f66 call 41a696 call 401eea * 4 call 41a97d call 413683 call 4082dc call 440c61 call 401d64 call 401fbd call 4022f8 call 401e8f * 2 call 41265d 566->582 566->583 567->583 647 414434-414441 call 40541d 582->647 648 414446-41446d call 401e8f call 412513 582->648 596 414b68-414b88 call 401d64 call 401e8f call 43a5f7 Sleep 583->596 597 414b8e-414b96 call 401d8c 583->597 596->597 597->476 647->648 654 414474-414830 call 403b40 call 40cbf1 call 41adfe call 41aed8 call 41ad56 call 401d64 GetTickCount call 41ad56 call 41acb0 call 41ad56 * 2 call 41ac62 call 41aed8 * 5 call 40e679 call 41aed8 call 4027ec call 40275c call 4027cb call 40275c call 4027cb * 3 call 40275c call 4027cb call 405ce6 call 4027cb call 405ce6 call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 40275c call 4027cb call 405ce6 call 4027cb * 5 call 40275c call 4027cb call 40275c call 4027cb * 7 call 40275c 648->654 655 41446f-414471 648->655 781 414832 call 404468 654->781 655->654 782 414837-414abb call 401eea * 50 call 401e13 call 401eea * 6 call 401e13 call 4045d5 781->782 900 414ac0-414ac7 782->900 901 414ac9-414ad0 900->901 902 414adb-414ae2 900->902 901->902 903 414ad2-414ad4 901->903 904 414ae4-414ae9 call 40a767 902->904 905 414aee-414b20 call 405415 call 401f66 * 2 call 41a696 902->905 903->902 904->905 916 414b22-414b2e CreateThread 905->916 917 414b34-414b4f call 401eea * 2 call 401e13 905->917 916->917 917->583
                                                    APIs
                                                    • Sleep.KERNEL32(00000000,00000029,004742F8,?,00000000), ref: 00414028
                                                    • WSAGetLastError.WS2_32 ref: 00414249
                                                    • Sleep.KERNEL32(00000000,00000002), ref: 00414B88
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Sleep$ErrorLastLocalTime
                                                    • String ID: | $%I64u$5.3.0 Pro$@CG$C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$Exe$Rmc-I3QM17$TLS Off$TLS On $TUF$XCG$XCG$XCG$`=G$dCG$hlight$name$>G$>G$BG
                                                    • API String ID: 524882891-3974114547
                                                    • Opcode ID: d87e8caa7572595075e7298c32b86889769859a0b55a2115f334d47f6d2759e2
                                                    • Instruction ID: 1c0fcd5d2769b0c1ed3f5537d8c306574ebe830810c6f13c8178cbf41d879861
                                                    • Opcode Fuzzy Hash: d87e8caa7572595075e7298c32b86889769859a0b55a2115f334d47f6d2759e2
                                                    • Instruction Fuzzy Hash: 3B525E31A001145ADB18F771DDA6AEE73A59F90708F1041BFB80A771E2EF385E85CA9D
                                                    Function 0040A3F4 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 158sleepCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • __Init_thread_footer.LIBCMT ref: 0040A456
                                                    • Sleep.KERNEL32(000001F4), ref: 0040A461
                                                    • GetForegroundWindow.USER32 ref: 0040A467
                                                    • GetWindowTextLengthW.USER32(00000000), ref: 0040A470
                                                    • GetWindowTextW.USER32(00000000,00000000,00000000), ref: 0040A4A4
                                                    • Sleep.KERNEL32(000003E8), ref: 0040A574
                                                      • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                                                    • String ID: [${ User has been idle for $ minutes }$4]G$4]G$4]G$]
                                                    • API String ID: 911427763-1497357211
                                                    • Opcode ID: 04cc7eafda87e2f954416aa54820f6384b634bf120f851fbe548fbfea1a1b6bc
                                                    • Instruction ID: afbd458ed10e5c7c401a96cf43e60d64e5e0c384de04be689a5a7141a0feef4c
                                                    • Opcode Fuzzy Hash: 04cc7eafda87e2f954416aa54820f6384b634bf120f851fbe548fbfea1a1b6bc
                                                    • Instruction Fuzzy Hash: 8851B1716043409BC224FB21D85AAAE7794BF84318F40493FF846A72D2DF7C9D55869F
                                                    Function 00409E48 Relevance: 21.2, APIs: 6, Strings: 6, Instructions: 163sleepCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • Sleep.KERNEL32(00001388), ref: 00409E62
                                                      • Part of subcall function 00409D97: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                      • Part of subcall function 00409D97: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                      • Part of subcall function 00409D97: Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                      • Part of subcall function 00409D97: CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409E9E
                                                    • GetFileAttributesW.KERNEL32(00000000), ref: 00409EAF
                                                    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409EC6
                                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409F40
                                                      • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                                    • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,00465900,?,00000000,00000000,00000000,00000000,00000000), ref: 0040A049
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                                                    • String ID: @CG$@CG$XCG$XCG$xAG$xAG
                                                    • API String ID: 3795512280-3163867910
                                                    • Opcode ID: 431120ea2e0ec05f5d77566325f4bfbe655a1002eb612d18d4f3077bf3784cb0
                                                    • Instruction ID: 8be46055dc56f0d2ec4b071ca6400761e29966989419bbb2416efbd82a73718c
                                                    • Opcode Fuzzy Hash: 431120ea2e0ec05f5d77566325f4bfbe655a1002eb612d18d4f3077bf3784cb0
                                                    • Instruction Fuzzy Hash: 06517C616043005ACB05BB71D866ABF769AAFD1309F00053FF886B71E2DF3DA945869A
                                                    Function 0040428C Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 147networkCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1102 40428c-4042ad connect 1103 4043e1-4043e5 1102->1103 1104 4042b3-4042b6 1102->1104 1105 4043e7-4043f5 WSAGetLastError 1103->1105 1106 40445f 1103->1106 1107 4043da-4043dc 1104->1107 1108 4042bc-4042bf 1104->1108 1105->1106 1109 4043f7-4043fa 1105->1109 1110 404461-404465 1106->1110 1107->1110 1111 4042c1-4042e8 call 404cbf call 401f66 call 41a696 1108->1111 1112 4042eb-4042f5 call 420161 1108->1112 1114 404439-40443e 1109->1114 1115 4043fc-404437 call 41bc86 call 404c9e call 401f66 call 41a696 call 401eea 1109->1115 1111->1112 1123 404306-404313 call 420383 1112->1123 1124 4042f7-404301 1112->1124 1120 404443-40445c call 401f66 * 2 call 41a696 1114->1120 1115->1106 1120->1106 1137 404315-404338 call 401f66 * 2 call 41a696 1123->1137 1138 40434c-404357 call 420f44 1123->1138 1124->1120 1163 40433b-404347 call 4201a1 1137->1163 1149 404389-404396 call 4202fa 1138->1149 1150 404359-404387 call 401f66 * 2 call 41a696 call 4205a2 1138->1150 1160 404398-4043bb call 401f66 * 2 call 41a696 1149->1160 1161 4043be-4043d7 CreateEventW * 2 1149->1161 1150->1163 1160->1161 1161->1107 1163->1106
                                                    APIs
                                                    • connect.WS2_32(?,?,?), ref: 004042A5
                                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043CB
                                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,?,?,0040192B), ref: 004043D5
                                                    • WSAGetLastError.WS2_32(?,?,?,0040192B), ref: 004043E7
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateEvent$ErrorLastLocalTimeconnect
                                                    • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                                                    • API String ID: 994465650-2151626615
                                                    • Opcode ID: 3ddcc2c8b25d131ed1d8981cf26e6009bfc8be3c208b881942b02508a6528955
                                                    • Instruction ID: feeaa4dc0a5480c3be004408dd81f6e2390fe6c9429734df96c13844dfc6b1ca
                                                    • Opcode Fuzzy Hash: 3ddcc2c8b25d131ed1d8981cf26e6009bfc8be3c208b881942b02508a6528955
                                                    • Instruction Fuzzy Hash: 3E4116B1B002026BCB04B77A8C4B66E7A55AB81354B40016FE901676D3FE79AD6087DF
                                                    Function 0040C89E Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1177 40c89e-40c8c3 call 401e52 1180 40c8c9 1177->1180 1181 40c9ed-40ca13 call 401e07 GetLongPathNameW call 403b40 1177->1181 1182 40c8d0-40c8d5 1180->1182 1183 40c9c2-40c9c7 1180->1183 1184 40c905-40c90a 1180->1184 1185 40c9d8 1180->1185 1186 40c9c9-40c9ce call 43ac1f 1180->1186 1187 40c8da-40c8e8 call 41a75b call 401e18 1180->1187 1188 40c8fb-40c900 1180->1188 1189 40c9bb-40c9c0 1180->1189 1190 40c90f-40c916 call 41b16b 1180->1190 1205 40ca18-40ca85 call 403b40 call 40cc37 call 402860 * 2 call 401e13 * 5 1181->1205 1192 40c9dd-40c9e2 call 43ac1f 1182->1192 1183->1192 1184->1192 1185->1192 1197 40c9d3-40c9d6 1186->1197 1208 40c8ed 1187->1208 1188->1192 1189->1192 1206 40c918-40c968 call 403b40 call 43ac1f call 403b40 call 402860 call 401e18 call 401e13 * 2 1190->1206 1207 40c96a-40c9b6 call 403b40 call 43ac1f call 403b40 call 402860 call 401e18 call 401e13 * 2 1190->1207 1202 40c9e3-40c9e8 call 4082d7 1192->1202 1197->1185 1197->1202 1202->1181 1214 40c8f1-40c8f6 call 401e13 1206->1214 1207->1208 1208->1214 1214->1181
                                                    APIs
                                                    • GetLongPathNameW.KERNEL32(00000000,?,00000208), ref: 0040CA04
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LongNamePath
                                                    • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                                                    • API String ID: 82841172-425784914
                                                    • Opcode ID: 5638771ac5714ddadc0d5b1694dde0f121ac45befe08588207784c80853873f1
                                                    • Instruction ID: a37aa742da7f535015bd00beacd4484d13b2c9c5bc690283ee024c69455bfc47
                                                    • Opcode Fuzzy Hash: 5638771ac5714ddadc0d5b1694dde0f121ac45befe08588207784c80853873f1
                                                    • Instruction Fuzzy Hash: 68413A721442009AC214F721DD97DAFB7A4AE90759F10063FB546720E2FE7CAA49C69F
                                                    Function 0041A473 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 59COMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                      • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                                      • Part of subcall function 0041B16B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B183
                                                      • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                      • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                      • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                    • StrToIntA.SHLWAPI(00000000,0046BC48,?,00000000,00000000,00474358,00000003,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0041A4E9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$CloseCurrentOpenQueryValueWow64
                                                    • String ID: (32 bit)$ (64 bit)$0JG$CurrentBuildNumber$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                                                    • API String ID: 782494840-3211212173
                                                    • Opcode ID: 26c60f6affbee6d217ba86e1928e9c23d3fea0a75ab30a776bd0b760c07e420e
                                                    • Instruction ID: ceb3f8158c83cee62a9ab3acf094014ca2543c25b31c887bfc35cbf025930a6e
                                                    • Opcode Fuzzy Hash: 26c60f6affbee6d217ba86e1928e9c23d3fea0a75ab30a776bd0b760c07e420e
                                                    • Instruction Fuzzy Hash: F611CAA050020566C704B765DC9BDBF765ADB90304F40453FB506E31D2EB6C8E8583EE
                                                    Function 0041A52B Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 68networkfileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1347 41a52b-41a56a call 401faa call 43a89c InternetOpenW InternetOpenUrlW 1352 41a56c-41a58d InternetReadFile 1347->1352 1353 41a5b3-41a5b6 1352->1353 1354 41a58f-41a5af call 401f86 call 402f08 call 401eea 1352->1354 1355 41a5b8-41a5ba 1353->1355 1356 41a5bc-41a5c9 InternetCloseHandle * 2 call 43a897 1353->1356 1354->1353 1355->1352 1355->1356 1360 41a5ce-41a5d8 1356->1360
                                                    APIs
                                                    • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 0041A54E
                                                    • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 0041A564
                                                    • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 0041A57D
                                                    • InternetCloseHandle.WININET(00000000), ref: 0041A5C3
                                                    • InternetCloseHandle.WININET(00000000), ref: 0041A5C6
                                                    Strings
                                                    • http://geoplugin.net/json.gp, xrefs: 0041A55E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Internet$CloseHandleOpen$FileRead
                                                    • String ID: http://geoplugin.net/json.gp
                                                    • API String ID: 3121278467-91888290
                                                    • Opcode ID: a574e59ae2a6d8659b3b708bfc28c48046a6cfc8e174729ee45d25f2e2c52857
                                                    • Instruction ID: 987b679836a9d55d587b89d74e0435f254c545d991055b4d64d2ada4334a4818
                                                    • Opcode Fuzzy Hash: a574e59ae2a6d8659b3b708bfc28c48046a6cfc8e174729ee45d25f2e2c52857
                                                    • Instruction Fuzzy Hash: C111C4311093126BD224EA169C45DBF7FEDEF86365F00043EF905E2192DB689848C6BA
                                                    Function 00409D97 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 58sleepfileCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1365 409d97-409da7 1366 409e44-409e47 1365->1366 1367 409dad-409daf 1365->1367 1368 409db2-409dd8 call 401e07 CreateFileW 1367->1368 1371 409e18 1368->1371 1372 409dda-409de8 GetFileSize 1368->1372 1375 409e1b-409e1f 1371->1375 1373 409dea 1372->1373 1374 409e0f-409e16 CloseHandle 1372->1374 1376 409df4-409dfb 1373->1376 1377 409dec-409df2 1373->1377 1374->1375 1375->1368 1378 409e21-409e24 1375->1378 1379 409e04-409e09 Sleep 1376->1379 1380 409dfd-409dff call 40a7f0 1376->1380 1377->1374 1377->1376 1378->1366 1381 409e26-409e2d 1378->1381 1379->1374 1380->1379 1381->1366 1383 409e2f-409e3f call 4082dc call 4098a5 1381->1383 1383->1366
                                                    APIs
                                                    • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409E6F), ref: 00409DCD
                                                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409E6F), ref: 00409DDC
                                                    • Sleep.KERNEL32(00002710,?,?,?,00409E6F), ref: 00409E09
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,00409E6F), ref: 00409E10
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$CloseCreateHandleSizeSleep
                                                    • String ID: `AG
                                                    • API String ID: 1958988193-3058481221
                                                    • Opcode ID: b0d5ab9d96485228d01e653f577d9a536d0e325b1c446dee4fcf46d6e6ae2c45
                                                    • Instruction ID: 61dc848fc85204ea7fc5a67171cad01df1347b3512dd41eabc6ad436608203b4
                                                    • Opcode Fuzzy Hash: b0d5ab9d96485228d01e653f577d9a536d0e325b1c446dee4fcf46d6e6ae2c45
                                                    • Instruction Fuzzy Hash: 3A11C4303407406AE731E764E88962B7A9AAB91311F44057EF18562AE3D7389CD1829D
                                                    Function 004126D2 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 37registryCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    • Executed
                                                    • Not Executed
                                                    control_flow_graph 1387 4126d2-4126e9 RegCreateKeyA 1388 412722 1387->1388 1389 4126eb-412720 call 4022f8 call 401e8f RegSetValueExA RegCloseKey 1387->1389 1391 412724-412730 call 401eea 1388->1391 1389->1391
                                                    APIs
                                                    • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                    • RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                    • RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseCreateValue
                                                    • String ID: HgF$pth_unenc
                                                    • API String ID: 1818849710-3662775637
                                                    • Opcode ID: 1bd7bc63bfcb718f8a00b857ba0206b1347799401e36ec3cc1597cb67c32c774
                                                    • Instruction ID: d7c223529d0a909ac1d5b5cf1be9cbd74eb10d05c00374dbcf2eb8abb0eb8976
                                                    • Opcode Fuzzy Hash: 1bd7bc63bfcb718f8a00b857ba0206b1347799401e36ec3cc1597cb67c32c774
                                                    • Instruction Fuzzy Hash: 98F09032040104FBCB019FA0ED55EEF37ACEF04751F108139FD06A61A1EA75DE04EA94
                                                    Function 004098A5 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 70threadCOMMON
                                                    Download Yara Rule

                                                    Control-flow Graph

                                                    APIs
                                                    • CreateThread.KERNEL32(00000000,00000000,004099A9,?,00000000,00000000), ref: 0040992A
                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040993A
                                                    • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 00409946
                                                      • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                      • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateThread$LocalTimewsprintf
                                                    • String ID: Offline Keylogger Started
                                                    • API String ID: 465354869-4114347211
                                                    • Opcode ID: 7dd086592dd2feb5cbf2408a3828b0047df0053d07ac6005fceb7baaed354c62
                                                    • Instruction ID: 39d66220788a70d2f795ee3c864da876fba87127a7a6d83764b6ce8c19119ba3
                                                    • Opcode Fuzzy Hash: 7dd086592dd2feb5cbf2408a3828b0047df0053d07ac6005fceb7baaed354c62
                                                    • Instruction Fuzzy Hash: 8011A7B25003097ED220BA36DC87CBF765CDA813A8B40053EF845222D3EA785E54C6FB
                                                    Function 004127D5 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                    • RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                    • RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseCreateValue
                                                    • String ID: TUF
                                                    • API String ID: 1818849710-3431404234
                                                    • Opcode ID: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                    • Instruction ID: 4d8f19d4f5fba69279ea975c705bdc3302fb28fe13ea63ccb444db4f968143a5
                                                    • Opcode Fuzzy Hash: 386e33d00f3fb5cef405d4ff1ae12e7e359dce24562d3d83ccac8fce873b9f24
                                                    • Instruction Fuzzy Hash: 8DE03071540204BFEF115B909C05FDB3BA8EB05B95F004161FA05F6191D271CE14D7A4
                                                    Function 00404688 Relevance: 6.1, APIs: 4, Instructions: 121synchronizationthreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,?), ref: 00404778
                                                    • CreateThread.KERNEL32(00000000,00000000,?,?,00000000,00000000), ref: 0040478C
                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,?,?,00000000), ref: 00404797
                                                    • CloseHandle.KERNEL32(?,?,00000000,00000000,?,?,00000000), ref: 004047A0
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Create$CloseEventHandleObjectSingleThreadWait
                                                    • String ID:
                                                    • API String ID: 3360349984-0
                                                    • Opcode ID: 72b013782cf94b1f3d34b8331976b904c6ebf93714f67b57431e08570f282644
                                                    • Instruction ID: f4983b6e647f91c6eb1a16b69ab68a2f9d5597509a23169db7b615edd0c6cdea
                                                    • Opcode Fuzzy Hash: 72b013782cf94b1f3d34b8331976b904c6ebf93714f67b57431e08570f282644
                                                    • Instruction Fuzzy Hash: 34417171508301ABC700FB61CC55D7FB7E9AFD5315F00093EF892A32E2EA389909866A
                                                    Function 0041B59F Relevance: 6.1, APIs: 4, Instructions: 64fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6B5,00000000,00000000,?), ref: 0041B5DE
                                                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5FB
                                                    • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B60F
                                                    • CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B61C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$CloseCreateHandlePointerWrite
                                                    • String ID:
                                                    • API String ID: 3604237281-0
                                                    • Opcode ID: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                    • Instruction ID: 3b94612a358327762e597db0d4245ee78264fa841ead315e3e24d1cb8b3ec7b7
                                                    • Opcode Fuzzy Hash: cba3a97e1e2bda49592f8a8e1d6d35a5d6160c6c563f13c2ae5fe5c742252b28
                                                    • Instruction Fuzzy Hash: 3F01F5712082147FE6104F28AC89EBB739DEB96379F14063AF952C22C0D765CC8596BE
                                                    Function 00414B9B Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CountEventTick
                                                    • String ID: >G
                                                    • API String ID: 180926312-1296849874
                                                    • Opcode ID: 4dea9cf180482d33175dd0781c2a7a7f11c81ec4a99f4dcef033a069f5296280
                                                    • Instruction ID: 080f125417303e5552765b07387c73e695832f87024c8a27cfac38d5c25ddd71
                                                    • Opcode Fuzzy Hash: 4dea9cf180482d33175dd0781c2a7a7f11c81ec4a99f4dcef033a069f5296280
                                                    • Instruction Fuzzy Hash: 7E5191315042409AC224FB71D8A2AEF73E5AFD1314F40853FF94A671E2EF389949C69E
                                                    Function 0040BED7 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,0040D9AA,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046556C,00000003,00000000), ref: 0040BEE6
                                                    • GetLastError.KERNEL32 ref: 0040BEF1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateErrorLastMutex
                                                    • String ID: Rmc-I3QM17
                                                    • API String ID: 1925916568-3096242927
                                                    • Opcode ID: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                    • Instruction ID: f970ec9d0541ab61c93bafde2a4f59c5c821b48a7874ab2150ad5935bc14b509
                                                    • Opcode Fuzzy Hash: defc0333e3605ddb085507e8cb5f1de2847b42d11ba618549d06c615cf8541f0
                                                    • Instruction Fuzzy Hash: 75D012707083009BD7181774BC8A77D3555E784703F00417AB90FD55E1CB6888409919
                                                    Function 00412513 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                    • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                    • RegCloseKey.KERNEL32(?), ref: 0041255F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseOpenQueryValue
                                                    • String ID:
                                                    • API String ID: 3677997916-0
                                                    • Opcode ID: 1a25bcfb25f4c61a33ed6ceb80866840e5ee7adcdacacd2e2e41860cf5e9bac8
                                                    • Instruction ID: 155fce86b91483c744b9f02885d56de91ccd1cdd8f33956e2d71fd22bd1c87ae
                                                    • Opcode Fuzzy Hash: 1a25bcfb25f4c61a33ed6ceb80866840e5ee7adcdacacd2e2e41860cf5e9bac8
                                                    • Instruction Fuzzy Hash: F0F08176900118BBCB209BA1ED48DEF7FBDEB44751F004066BA06E2150D6749E55DBA8
                                                    Function 0041265D Relevance: 4.5, APIs: 3, Instructions: 41registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                    • RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                    • RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseOpenQueryValue
                                                    • String ID:
                                                    • API String ID: 3677997916-0
                                                    • Opcode ID: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                                    • Instruction ID: c18416eb0b1572374c3e2b3be0649ca89fc6f9e16ed4320a44d925c8ae57db2a
                                                    • Opcode Fuzzy Hash: f35e7c15da94557ef338f13a10ac7e5db7717a73998ec4005cb99cacd37e3820
                                                    • Instruction Fuzzy Hash: BD018131404229FBDF216FA1DC45DDF7F78EF11754F004065BA04A21A1D7758AB5DBA8
                                                    Function 004124B7 Relevance: 4.5, APIs: 3, Instructions: 38registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                    • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                    • RegCloseKey.KERNEL32(?), ref: 00412500
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseOpenQueryValue
                                                    • String ID:
                                                    • API String ID: 3677997916-0
                                                    • Opcode ID: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                    • Instruction ID: 3c8b5742b91bab9b7a0bfd6479237677f271592d1db5ef4b45a1d16c6b8d7bbd
                                                    • Opcode Fuzzy Hash: 9045fb9a7a6208df116313aaf282ceb7280aaf27367a6f7e2add9e4d3bf57581
                                                    • Instruction Fuzzy Hash: C0F03A76900208BFDF119FA0AC45FDF7BB9EB04B55F1040A1FA05F6291D670DA54EB98
                                                    Function 0041246E Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B996,004660E0), ref: 00412485
                                                    • RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,00000000,?,?,0040B996,004660E0), ref: 00412499
                                                    • RegCloseKey.KERNEL32(?,?,?,0040B996,004660E0), ref: 004124A4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseOpenQueryValue
                                                    • String ID:
                                                    • API String ID: 3677997916-0
                                                    • Opcode ID: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                    • Instruction ID: 2a31b93e49ffe9e6f23ef690bd11c8afd6de107f9352384350bf23698ee7218d
                                                    • Opcode Fuzzy Hash: e297991b72ec1606279c96c89a25a7ac8737aea41b7b6b8683e2e1c686c69e22
                                                    • Instruction Fuzzy Hash: 46E06531405234BBDF314BA2AD0DDDB7FACEF16BA17004061BC09A2251D2658E50E6E8
                                                    Function 00409517 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 64COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _wcslen
                                                    • String ID: xAG
                                                    • API String ID: 176396367-2759412365
                                                    • Opcode ID: 5b2808d6a420319a8e352f948dca3b51851caf84ac7e067c3f15d365214f07ca
                                                    • Instruction ID: 06a27fc39790a6443aa461e0e984232ee7603be4cd8470566e0b89af9a4a2a71
                                                    • Opcode Fuzzy Hash: 5b2808d6a420319a8e352f948dca3b51851caf84ac7e067c3f15d365214f07ca
                                                    • Instruction Fuzzy Hash: FE1163329002059FCB15FF66D8969EF77A4EF64314B10453FF842622E2EF38A955CB98
                                                    Function 0041A955 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 16COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GlobalMemoryStatusEx.KERNEL32(?), ref: 0041A969
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: GlobalMemoryStatus
                                                    • String ID: @
                                                    • API String ID: 1890195054-2766056989
                                                    • Opcode ID: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                    • Instruction ID: dd145fffdacd7bda74fa2c6e5abe56fe406d4b7e613986be5c07feff288e4f4e
                                                    • Opcode Fuzzy Hash: 6a5e85952f382d12afcc854e62baf2dc0b8e461fb7fe04101b075e185c2318ef
                                                    • Instruction Fuzzy Hash: EFD067B99013189FCB20DFA8E945A8DBBF8FB48214F004529E946E3344E774E945CB95
                                                    Function 0044B9CE Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 0044B9EF
                                                      • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                                    • RtlReAllocateHeap.NTDLL(00000000,00475D50,?,00000004,00000000,?,0044E91A,00475D50,00000004,?,00475D50,?,?,00443135,00475D50,?), ref: 0044BA2B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateHeap$_free
                                                    • String ID:
                                                    • API String ID: 1482568997-0
                                                    • Opcode ID: 5cfe77718a578226d9c79b09a3ca5d66c4b9dac56741ea3d957ce73d3817e4be
                                                    • Instruction ID: 4ec374b27fdcb4e51bf886fe72aa52163d481902fd3bbe85b5f84076fdb7f7cd
                                                    • Opcode Fuzzy Hash: 5cfe77718a578226d9c79b09a3ca5d66c4b9dac56741ea3d957ce73d3817e4be
                                                    • Instruction Fuzzy Hash: 0FF0C23260051166FB216E679C05F6B2B68DF827B0F15412BFD04B6291DF6CC80191ED
                                                    Function 004041F1 Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                      • Part of subcall function 00404262: WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 00404252
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateEventStartupsocket
                                                    • String ID:
                                                    • API String ID: 1953588214-0
                                                    • Opcode ID: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                    • Instruction ID: 6d5c4ce7eefecebe47fda3b025552a79fd8a61a73b62065855ea20d17e135052
                                                    • Opcode Fuzzy Hash: 854d00471859da485f7a9b00171063840124e4cdae7de36f8ad07afc2a8c10ec
                                                    • Instruction Fuzzy Hash: A20171B05087809ED7358F38B8456977FE0AB15314F044DAEF1D697BA1C3B5A481CB18
                                                    Function 0041AC62 Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32 ref: 0041AC84
                                                    • GetWindowTextW.USER32(00000000,?,00000100), ref: 0041AC97
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Window$ForegroundText
                                                    • String ID:
                                                    • API String ID: 29597999-0
                                                    • Opcode ID: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                                    • Instruction ID: cc2156d331005380bc7f387210694eb4be3f76427b44d354f8bc4e4bef854abe
                                                    • Opcode Fuzzy Hash: 1796dd390df28a7f4dbf89d7f01fc1bba1536ee62ee2177b21e7863b89c7f1ab
                                                    • Instruction Fuzzy Hash: CFE04875A0031867FB24A765AD4EFD6766C9704715F0000B9BA19E21C3E9B4EA04C7E4
                                                    Function 00413F9A Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • getaddrinfo.WS2_32(00000000,00000000,00000000,00471B28,00474358,00000000,00414240,00000000,00000001), ref: 00413FBC
                                                    • WSASetLastError.WS2_32(00000000), ref: 00413FC1
                                                      • Part of subcall function 00413E37: GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                      • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                      • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                      • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                      • Part of subcall function 00413E37: LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                      • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                      • Part of subcall function 00413E37: FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                      • Part of subcall function 00413E37: GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                                                    • String ID:
                                                    • API String ID: 1170566393-0
                                                    • Opcode ID: fe532004205893b42ca3e78fe98bfc0c037fcd8dad322742003ca3565627297f
                                                    • Instruction ID: 6b8e1b3bf706901e9cebb32ced8ad4f2671330a9e567d97b4cc2d1cd49d6d23a
                                                    • Opcode Fuzzy Hash: fe532004205893b42ca3e78fe98bfc0c037fcd8dad322742003ca3565627297f
                                                    • Instruction Fuzzy Hash: CED05B326406216FA310575D6D01FFBB5DCDFA67717110077F408D7110D6946D8283ED
                                                    Function 00446B0F Relevance: 1.5, APIs: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AllocateHeap
                                                    • String ID:
                                                    • API String ID: 1279760036-0
                                                    • Opcode ID: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                                    • Instruction ID: 9aef8a7b80d5ef8cde78cc1a95e43686bba12cbd10c6cd592e8946dff14ce016
                                                    • Opcode Fuzzy Hash: 382123f4ff15faebfb065adfee4593ee0e25617df91b7722ec70fd9da05ca189
                                                    • Instruction Fuzzy Hash: 54E0E5312012B5A7FB202A6A9C05F5B7688DB437A4F060033AC45D66D0CB58EC4181AF
                                                    Function 00404262 Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WSAStartup.WS2_32(00000202,00000000), ref: 00404277
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Startup
                                                    • String ID:
                                                    • API String ID: 724789610-0
                                                    • Opcode ID: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                    • Instruction ID: eac2355bac846bce9fd0ddf676e945afe2a4b646382637a0be3cadb4b1fbcda1
                                                    • Opcode Fuzzy Hash: 95a2dab67d29c7ac03eac8c0eb79289a66407e1e5cc97b6f0f8b459783d59ee5
                                                    • Instruction Fuzzy Hash: E1D012325596084ED610AAB8AC0F8A47B5CD317611F0003BA6CB5826E3E640661CC6AB
                                                    Function 0042611E Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: send
                                                    • String ID:
                                                    • API String ID: 2809346765-0
                                                    • Opcode ID: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                    • Instruction ID: f30177ef1ac25d972003a71432bbdafa3536f6886768dd9ca1b11e7f0a6bf502
                                                    • Opcode Fuzzy Hash: 95a0fd16484bf767f6aff194c57c23075fd16a0a1a5a2095ebc589c6d407ffe4
                                                    • Instruction Fuzzy Hash: 4FB09279118302BFCA051B60DC0887A7EBAABC9381B108C2CB146512B0CA37C490EB36

                                                    Non-executed Functions

                                                    Function 00406F06 Relevance: 48.1, APIs: 10, Strings: 17, Instructions: 849filesleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetEvent.KERNEL32(?,?), ref: 00406F28
                                                    • GetFileAttributesW.KERNEL32(00000000,00000000,00000000), ref: 00406FF8
                                                    • DeleteFileW.KERNEL32(00000000), ref: 00407018
                                                      • Part of subcall function 0041B43F: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B499
                                                      • Part of subcall function 0041B43F: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4CB
                                                      • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B51C
                                                      • Part of subcall function 0041B43F: FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B571
                                                      • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B578
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                      • Part of subcall function 00406BE9: CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                      • Part of subcall function 00406BE9: WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                      • Part of subcall function 00406BE9: CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                      • Part of subcall function 00406BE9: MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                      • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000328,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                      • Part of subcall function 00404468: SetEvent.KERNEL32(00000328,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00407416
                                                    • GetLogicalDriveStringsA.KERNEL32(00000064,?), ref: 004074F5
                                                    • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 0040773A
                                                    • DeleteFileA.KERNEL32(?), ref: 004078CC
                                                      • Part of subcall function 00407A8C: __EH_prolog.LIBCMT ref: 00407A91
                                                      • Part of subcall function 00407A8C: FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                      • Part of subcall function 00407A8C: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                    • Sleep.KERNEL32(000007D0), ref: 00407976
                                                    • StrToIntA.SHLWAPI(00000000,00000000), ref: 004079BA
                                                      • Part of subcall function 0041BB87: SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$Find$AttributesCloseDeleteDirectoryEventFirstNextRemove$CreateDriveExecuteH_prologHandleInfoLocalLogicalMoveObjectParametersShellSingleSleepStringsSystemTimeWaitWritesend
                                                    • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $H@G$TTF$Unable to delete: $Unable to rename file!$V>G$open$x@G$x@G$x@G$x@G$>G
                                                    • API String ID: 2918587301-184849705
                                                    • Opcode ID: d91289d3051c322bdd857101a0a8adc0020f2fb1390e52d7e39c11ee2c34041e
                                                    • Instruction ID: 1bc88c7e1bb4371a25effcd92402389f4e4e7f2dfcf0a55fa2f5aa785e242239
                                                    • Opcode Fuzzy Hash: d91289d3051c322bdd857101a0a8adc0020f2fb1390e52d7e39c11ee2c34041e
                                                    • Instruction Fuzzy Hash: CC42A372A043005BC604F776C8979AF76A59F90718F40493FF946771E2EE3CAA09C69B
                                                    Function 00405042 Relevance: 40.5, APIs: 15, Strings: 8, Instructions: 280pipesleepfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __Init_thread_footer.LIBCMT ref: 0040508E
                                                      • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                                                      • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    • __Init_thread_footer.LIBCMT ref: 004050CB
                                                    • CreatePipe.KERNEL32(00475D0C,00475CF4,00475C18,00000000,0046556C,00000000), ref: 0040515E
                                                    • CreatePipe.KERNEL32(00475CF8,00475D14,00475C18,00000000), ref: 00405174
                                                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00475C28,00475CFC), ref: 004051E7
                                                      • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                                                      • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                                                    • Sleep.KERNEL32(0000012C,00000093,?), ref: 0040523F
                                                    • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 00405264
                                                    • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 00405291
                                                      • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                                    • WriteFile.KERNEL32(00000000,00000000,?,00000000,00473F98,00465570,00000062,00465554), ref: 0040538E
                                                    • Sleep.KERNEL32(00000064,00000062,00465554), ref: 004053A8
                                                    • TerminateProcess.KERNEL32(00000000), ref: 004053C1
                                                    • CloseHandle.KERNEL32 ref: 004053CD
                                                    • CloseHandle.KERNEL32 ref: 004053D5
                                                    • CloseHandle.KERNEL32 ref: 004053E7
                                                    • CloseHandle.KERNEL32 ref: 004053EF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseCriticalHandleSection$CreatePipe$EnterFileInit_thread_footerLeaveProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                                                    • String ID: (\G$SystemDrive$cmd.exe$p\G$p\G$p\G$p\G$p\G
                                                    • API String ID: 3815868655-1274243119
                                                    • Opcode ID: bf49341456b4085afcbe2274af5a1afd8befb6bfa4028430823d957bc0f49eac
                                                    • Instruction ID: e174317c0cfdf92f2f57875e471bcaa01af682fbbee25a17085fe39bc952a1f7
                                                    • Opcode Fuzzy Hash: bf49341456b4085afcbe2274af5a1afd8befb6bfa4028430823d957bc0f49eac
                                                    • Instruction Fuzzy Hash: 97910971504705AFD701BB25EC45A2F37A8EB84344F50443FF94ABA2E2DABC9D448B6E
                                                    Function 00410F36 Relevance: 35.2, APIs: 7, Strings: 13, Instructions: 238threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcessId.KERNEL32 ref: 00410F45
                                                      • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                      • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                      • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                    • OpenMutexA.KERNEL32(00100000,00000000,00000000), ref: 00410F81
                                                    • CreateThread.KERNEL32(00000000,00000000,00411637,00000000,00000000,00000000), ref: 00410FE6
                                                      • Part of subcall function 004124B7: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,?), ref: 004124D7
                                                      • Part of subcall function 004124B7: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,00000000,?,004742F8), ref: 004124F5
                                                      • Part of subcall function 004124B7: RegCloseKey.KERNEL32(?), ref: 00412500
                                                    • CloseHandle.KERNEL32(00000000), ref: 00410F90
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041125A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseOpen$CreateProcessValue$CurrentHandleLocalMutexQueryThreadTime
                                                    • String ID: 0DG$Remcos restarted by watchdog!$TTF$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$rmclient.exe$svchost.exe$BG
                                                    • API String ID: 65172268-329858390
                                                    • Opcode ID: 8a2a67840985eedd0dbda374961972b5c6f523c752149b0273765c4031c1f616
                                                    • Instruction ID: cd90af3caa6d69ca3e9ea8718b5663318d6259183dea3b669bddfb6979e5fbe1
                                                    • Opcode Fuzzy Hash: 8a2a67840985eedd0dbda374961972b5c6f523c752149b0273765c4031c1f616
                                                    • Instruction Fuzzy Hash: 9F718E316042415BC614FB32D8579AE77A4AED4718F40053FF582A21F2EF7CAA49C69F
                                                    Function 0040B335 Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 145fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B3B4
                                                    • FindClose.KERNEL32(00000000), ref: 0040B3CE
                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040B4F1
                                                    • FindClose.KERNEL32(00000000), ref: 0040B517
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Find$CloseFile$FirstNext
                                                    • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                                                    • API String ID: 1164774033-3681987949
                                                    • Opcode ID: 16969a060028ea01768b3e7f8d1dd51863cff663cb6b33d182e29f9985d51af6
                                                    • Instruction ID: 6ff196721abdd8e0f3db8d3f3c96df629808f1f9148939b99990ee587e15bfec
                                                    • Opcode Fuzzy Hash: 16969a060028ea01768b3e7f8d1dd51863cff663cb6b33d182e29f9985d51af6
                                                    • Instruction Fuzzy Hash: 31512C319042195ADB14FBA1EC96AEE7768EF50318F50007FF805B31E2EF389A45CA9D
                                                    Function 0040B53A Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 130fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B5B2
                                                    • FindClose.KERNEL32(00000000), ref: 0040B5CC
                                                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040B68C
                                                    • FindClose.KERNEL32(00000000), ref: 0040B6B2
                                                    • FindClose.KERNEL32(00000000), ref: 0040B6D1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Find$Close$File$FirstNext
                                                    • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                                                    • API String ID: 3527384056-432212279
                                                    • Opcode ID: a9a1d2a1cd8360742623f5947b655a78589cbc9ba895ac191cc005815f72155e
                                                    • Instruction ID: 007be0ece90fca0e9f39ea1f272cf2b8da877aadfcc1370f70eac597690c30d9
                                                    • Opcode Fuzzy Hash: a9a1d2a1cd8360742623f5947b655a78589cbc9ba895ac191cc005815f72155e
                                                    • Instruction Fuzzy Hash: A7414B319042196ACB14F7A1EC569EE7768EF21318F50017FF801B31E2EF399A45CA9E
                                                    Function 0040E219 Relevance: 19.5, APIs: 6, Strings: 5, Instructions: 212processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,?,?,00474358), ref: 0040E233
                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000,?,?,00474358), ref: 0040E25E
                                                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E27A
                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E2FD
                                                    • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E30C
                                                      • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                      • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                      • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                    • CloseHandle.KERNEL32(00000000,?,?,00474358), ref: 0040E371
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Close$CreateHandleProcess32$FileFirstModuleNameNextSnapshotToolhelp32Value
                                                    • String ID: C:\Program Files(x86)\Internet Explorer\$Inj$ieinstal.exe$ielowutil.exe$BG
                                                    • API String ID: 726551946-3025026198
                                                    • Opcode ID: dc1ad798a35d7444bbbbf078d0d444fc3737f63c90b642ee01f5359e624c1f46
                                                    • Instruction ID: ff5f769c9d2eb9d60ee5c92f3007ac3329fe223f24fa54890becbfeace6a8f7f
                                                    • Opcode Fuzzy Hash: dc1ad798a35d7444bbbbf078d0d444fc3737f63c90b642ee01f5359e624c1f46
                                                    • Instruction Fuzzy Hash: 647182311083019BC714FB61D8519EF77A5BF91358F400D3EF986631E2EF38A919CA9A
                                                    Function 004159C6 Relevance: 18.1, APIs: 12, Instructions: 80clipboardmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenClipboard.USER32 ref: 004159C7
                                                    • EmptyClipboard.USER32 ref: 004159D5
                                                    • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 004159F5
                                                    • GlobalLock.KERNEL32(00000000), ref: 004159FE
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00415A34
                                                    • SetClipboardData.USER32(0000000D,00000000), ref: 00415A3D
                                                    • CloseClipboard.USER32 ref: 00415A5A
                                                    • OpenClipboard.USER32 ref: 00415A61
                                                    • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                    • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                    • CloseClipboard.USER32 ref: 00415A89
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                                                    • String ID:
                                                    • API String ID: 3520204547-0
                                                    • Opcode ID: 115af58ca25ac982801086cc968099495571ae34f6290ed4f1dd44d177635a22
                                                    • Instruction ID: 65deba99f03779ab530566add8b8501f772d12743f07501a5a0e0bdfe921cf26
                                                    • Opcode Fuzzy Hash: 115af58ca25ac982801086cc968099495571ae34f6290ed4f1dd44d177635a22
                                                    • Instruction Fuzzy Hash: 232183712043009BC714BBB1EC5AAAE76A9AF80752F00453EFD06961E2EF38C845D66A
                                                    Function 00418764 Relevance: 15.9, APIs: 1, Strings: 8, Instructions: 197COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0$1$2$3$4$5$6$7
                                                    • API String ID: 0-3177665633
                                                    • Opcode ID: 749f6a55d273af1ff276c8e2e6441e457c328e07a3b13567bd2426039e935f4e
                                                    • Instruction ID: 8a7243103da74f60d5bbefacb9012cb64624b509857c51ebf6f1776beea37390
                                                    • Opcode Fuzzy Hash: 749f6a55d273af1ff276c8e2e6441e457c328e07a3b13567bd2426039e935f4e
                                                    • Instruction Fuzzy Hash: EE61B470508301AEDB00EF21C862FEE77E4AF95754F40485EF591672E2DB78AA48C797
                                                    Function 00409B10 Relevance: 15.9, APIs: 8, Strings: 1, Instructions: 108keyboardthreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                    • GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                    • GetKeyState.USER32(00000010), ref: 00409B5C
                                                    • GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                                    • ToUnicodeEx.USER32(0047414C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                    • ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                    • ToUnicodeEx.USER32(0047414C,?,?,?,00000010,00000000,00000000), ref: 00409C1C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Unicode$KeyboardStateWindow$ForegroundLayoutProcessThread
                                                    • String ID: X[G
                                                    • API String ID: 1888522110-739899062
                                                    • Opcode ID: 6b40a38aeadb85bfb73805397b44a8e398a18fbf7f02f723f5f91e0a6223020d
                                                    • Instruction ID: b3d75429b008435a5e1dd269aa2dc422b6d7dab2ccd5499d38c457950c038251
                                                    • Opcode Fuzzy Hash: 6b40a38aeadb85bfb73805397b44a8e398a18fbf7f02f723f5f91e0a6223020d
                                                    • Instruction Fuzzy Hash: 7C318F72544308AFE700DF90EC45FDBBBECEB48715F00083ABA45961A1D7B5E948DBA6
                                                    Function 00406764 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 55COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _wcslen.LIBCMT ref: 00406788
                                                    • CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Object_wcslen
                                                    • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                                                    • API String ID: 240030777-3166923314
                                                    • Opcode ID: fb4b37c01a82ea3e6f4d6ea97501aa73dd573a9fa8d004a292a27325ecfbba87
                                                    • Instruction ID: 8131e8b3f96e11b5c9c7103c6ecb9350ac77814929071503a065d606a7b617cc
                                                    • Opcode Fuzzy Hash: fb4b37c01a82ea3e6f4d6ea97501aa73dd573a9fa8d004a292a27325ecfbba87
                                                    • Instruction Fuzzy Hash: A11170B2901118AEDB10FAA58849A9EB7BCDB48714F55007BE905F3281E77C9A148A7D
                                                    Function 004198D2 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00474918), ref: 004198E8
                                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419937
                                                    • GetLastError.KERNEL32 ref: 00419945
                                                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041997D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: EnumServicesStatus$ErrorLastManagerOpen
                                                    • String ID:
                                                    • API String ID: 3587775597-0
                                                    • Opcode ID: 3890bdb0540eb0e670ed260973a12fdff1d758257f1b422d234bde2ff04c0bf6
                                                    • Instruction ID: 19b9a1677c56063b65225fc9a0f34bb07ffc83518ef4baa2b379b487d5559ddd
                                                    • Opcode Fuzzy Hash: 3890bdb0540eb0e670ed260973a12fdff1d758257f1b422d234bde2ff04c0bf6
                                                    • Instruction Fuzzy Hash: 84813F711083049BC714FB21DC959AFB7A8BF94718F50493EF582521E2EF78EA05CB9A
                                                    Function 0041B43F Relevance: 13.6, APIs: 9, Instructions: 105fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B499
                                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B4CB
                                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B539
                                                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B546
                                                      • Part of subcall function 0041B43F: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B51C
                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B571
                                                    • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B578
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,004742E0,004742F8), ref: 0041B580
                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,004742E0,004742F8), ref: 0041B593
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                                                    • String ID:
                                                    • API String ID: 2341273852-0
                                                    • Opcode ID: 0297631c5ee8ecb1d1a4c9aeac50dc6e63fd93f3a2d20230b54752594d88c721
                                                    • Instruction ID: 0b65015344b940e71c8db0708908b2546b6e9c6134e65c3d42cb3d4753665141
                                                    • Opcode Fuzzy Hash: 0297631c5ee8ecb1d1a4c9aeac50dc6e63fd93f3a2d20230b54752594d88c721
                                                    • Instruction Fuzzy Hash: 4D31937180921C6ACB20D771AC49FDA77BCAF08304F4405EBF505D3182EB799AC4CA69
                                                    Function 00412F45 Relevance: 10.9, APIs: 4, Strings: 2, Instructions: 391registrylibraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 0041301A
                                                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,00000000,00000001), ref: 00413026
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004131ED
                                                    • GetProcAddress.KERNEL32(00000000), ref: 004131F4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressCloseCreateLibraryLoadProcsend
                                                    • String ID: SHDeleteKeyW$Shlwapi.dll
                                                    • API String ID: 2127411465-314212984
                                                    • Opcode ID: 18a39fcbd2619a0ad7b15b3ace1fa1aaa8af28e14aabfdf4cb9dcfc1e5c535ab
                                                    • Instruction ID: 77d0e0f665ec2cae06f71cdba8331079b705a8b2343c1238c9795aa136ea70b2
                                                    • Opcode Fuzzy Hash: 18a39fcbd2619a0ad7b15b3ace1fa1aaa8af28e14aabfdf4cb9dcfc1e5c535ab
                                                    • Instruction Fuzzy Hash: 0AB1B571A043006BC614BA75CC979BE76989F94718F40063FF946B31E2EF7C9A4486DB
                                                    Function 0040B21B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040B257
                                                    • GetLastError.KERNEL32 ref: 0040B261
                                                    Strings
                                                    • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040B222
                                                    • [Chrome StoredLogins not found], xrefs: 0040B27B
                                                    • UserProfile, xrefs: 0040B227
                                                    • [Chrome StoredLogins found, cleared!], xrefs: 0040B287
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DeleteErrorFileLast
                                                    • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                                                    • API String ID: 2018770650-1062637481
                                                    • Opcode ID: 6231a6ec8c0bf8e98c8684e8dd9bafedce4a0939dadfa85d19fb30db5e755b14
                                                    • Instruction ID: b4925b9b145212f78872d6bf605c5cdf000d45b1535ad2fa459343da0bf9ff5a
                                                    • Opcode Fuzzy Hash: 6231a6ec8c0bf8e98c8684e8dd9bafedce4a0939dadfa85d19fb30db5e755b14
                                                    • Instruction Fuzzy Hash: 8C01623168410597CA0577B5ED6F8AE3624E921718F50017FF802731E6FF7A9A0586DE
                                                    Function 00416AB7 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 32COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                    • OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                    • GetLastError.KERNEL32 ref: 00416B02
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                                                    • String ID: SeShutdownPrivilege
                                                    • API String ID: 3534403312-3733053543
                                                    • Opcode ID: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                    • Instruction ID: c28276ca820f5d67da4083ad645d4fedab17ddc29f560671af9b7c8b6b4fa774
                                                    • Opcode Fuzzy Hash: e04eb0b34037921419aad719b93aaa051d7dc20f4e189cf25d4eb9764effedfd
                                                    • Instruction Fuzzy Hash: 25F0D4B5805229BBDB10ABA1EC4DEEF7EBCEF05656F100061B805E2192D6748A44CAB5
                                                    Function 00452F10 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: __floor_pentium4
                                                    • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                                                    • API String ID: 4168288129-2761157908
                                                    • Opcode ID: c9c150e801306c30e3e6fd676bf91ab99d53cd06d8b99a70f0bcb8a83e562639
                                                    • Instruction ID: e307a384b629b95ff6fef94050d5be06a037bb5012f5a6d22b447047531b26ff
                                                    • Opcode Fuzzy Hash: c9c150e801306c30e3e6fd676bf91ab99d53cd06d8b99a70f0bcb8a83e562639
                                                    • Instruction Fuzzy Hash: 1FC27071E046288FDB25CE28CD447EAB3B5EB44346F1441EBD84DE7242E778AE898F45
                                                    Function 004089A9 Relevance: 9.3, APIs: 6, Instructions: 288fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 004089AE
                                                      • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                      • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A8D
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00408AE0
                                                    • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408AF7
                                                      • Part of subcall function 00404468: WaitForSingleObject.KERNEL32(00000328,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                      • Part of subcall function 00404468: SetEvent.KERNEL32(00000328,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                      • Part of subcall function 004047EB: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                      • Part of subcall function 004047EB: SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                      • Part of subcall function 004047EB: CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00408DA1
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Find$CloseEventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsendsocket
                                                    • String ID:
                                                    • API String ID: 4043647387-0
                                                    • Opcode ID: b6d780576700f4933a9aaca3c1beff4f868690156509575001d11b963eafbbf9
                                                    • Instruction ID: 093ddd6807f9b365337d5cb0cb3505b04edbc5c9b0fee964739ae84c01535933
                                                    • Opcode Fuzzy Hash: b6d780576700f4933a9aaca3c1beff4f868690156509575001d11b963eafbbf9
                                                    • Instruction Fuzzy Hash: 50A15C729001089ACB14EBA1DD92AEDB778AF54318F10427FF506B71D2EF385E498B98
                                                    Function 00419BD4 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,?,?,0041982A,00000000,00000000), ref: 00419BDD
                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,?,0041982A,00000000,00000000), ref: 00419BF2
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419BFF
                                                    • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,?,0041982A,00000000,00000000), ref: 00419C0A
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1C
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,0041982A,00000000,00000000), ref: 00419C1F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Service$CloseHandle$Open$ManagerStart
                                                    • String ID:
                                                    • API String ID: 276877138-0
                                                    • Opcode ID: 6d0f589b7f4ed5c193fffaa70fef351a53496163331b96a9b3d3840ad54bf661
                                                    • Instruction ID: 029754fb73528063a62336f1848e5bb122dc48601db67947cc2268dfcf3d9ab0
                                                    • Opcode Fuzzy Hash: 6d0f589b7f4ed5c193fffaa70fef351a53496163331b96a9b3d3840ad54bf661
                                                    • Instruction Fuzzy Hash: 2EF089755053146FD2115B31FC88DBF2AECEF85BA6B00043AF54193191DB68CD4595F5
                                                    Function 00418C79 Relevance: 9.0, APIs: 2, Strings: 3, Instructions: 245fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(00000000,?), ref: 00418ECF
                                                    • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418F9B
                                                      • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$Find$CreateFirstNext
                                                    • String ID: @CG$XCG$>G
                                                    • API String ID: 341183262-3030817687
                                                    • Opcode ID: bdf19f3600ef3cc3e8fbade951765131cd50cae54f5c0b8e5a05de1674f7c19c
                                                    • Instruction ID: 4fcfe6ad4d4b9cbb37a9178feb6c4e4542e518df657a804f5f9e1d603b628f73
                                                    • Opcode Fuzzy Hash: bdf19f3600ef3cc3e8fbade951765131cd50cae54f5c0b8e5a05de1674f7c19c
                                                    • Instruction Fuzzy Hash: 408153315042405BC314FB61C892EEF73A9AFD1718F50493FF946671E2EF389A49C69A
                                                    Function 004158B9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 97libraryloadershutdownCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00416AB7: GetCurrentProcess.KERNEL32(00000028,?), ref: 00416AC4
                                                      • Part of subcall function 00416AB7: OpenProcessToken.ADVAPI32(00000000), ref: 00416ACB
                                                      • Part of subcall function 00416AB7: LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416ADD
                                                      • Part of subcall function 00416AB7: AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416AFC
                                                      • Part of subcall function 00416AB7: GetLastError.KERNEL32 ref: 00416B02
                                                    • ExitWindowsEx.USER32(00000000,00000001), ref: 0041595B
                                                    • LoadLibraryA.KERNEL32(PowrProf.dll,SetSuspendState,00000000,00000000,00000000), ref: 00415970
                                                    • GetProcAddress.KERNEL32(00000000), ref: 00415977
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ProcessToken$AddressAdjustCurrentErrorExitLastLibraryLoadLookupOpenPrivilegePrivilegesProcValueWindows
                                                    • String ID: PowrProf.dll$SetSuspendState
                                                    • API String ID: 1589313981-1420736420
                                                    • Opcode ID: 9a2ea4b760d1687da6394f818f94bf6b74c7e65cca45165fb093390337838f86
                                                    • Instruction ID: a9af72b6b9eaf8561cd509fc4cf8b1c610007ddf0d7e7dc7bbe2947ee761077a
                                                    • Opcode Fuzzy Hash: 9a2ea4b760d1687da6394f818f94bf6b74c7e65cca45165fb093390337838f86
                                                    • Instruction Fuzzy Hash: B22161B0604741E6CA14F7B19856AFF225A9F80748F40883FB402A71D2EF7CDC89865F
                                                    Function 004511F3 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00451512,?,00000000), ref: 0045128C
                                                    • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00451512,?,00000000), ref: 004512B5
                                                    • GetACP.KERNEL32(?,?,00451512,?,00000000), ref: 004512CA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InfoLocale
                                                    • String ID: ACP$OCP
                                                    • API String ID: 2299586839-711371036
                                                    • Opcode ID: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                    • Instruction ID: c7787d6075dc192170befbe1ddc6ff7be643600d5f5c624e054d22ce072cfab5
                                                    • Opcode Fuzzy Hash: 3e26eff85c0b030be7827b2fbb91fc7191fc27f2fce1bf15d40cdf94764cc661
                                                    • Instruction Fuzzy Hash: 9621C432A00100A7DB348F55C900B9773A6AF54B66F5685E6FC09F7232E73ADD49C399
                                                    Function 0041A64F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A660
                                                    • LoadResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A674
                                                    • LockResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A67B
                                                    • SizeofResource.KERNEL32(00000000,?,?,0040E183,00000000), ref: 0041A68A
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Resource$FindLoadLockSizeof
                                                    • String ID: SETTINGS
                                                    • API String ID: 3473537107-594951305
                                                    • Opcode ID: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                    • Instruction ID: 54a99f42213d160abf76577abca5e20a835261b5cb21c96a6540e7550e34f59b
                                                    • Opcode Fuzzy Hash: e32b0715ad7aadeb38a8c4a618404dc1e86643bbbf9351d1ef3d996740a46f90
                                                    • Instruction Fuzzy Hash: F3E09A7A604710ABCB211BA5BC8CD477E39E786763714403AF90592331DA359850DA59
                                                    Function 004513C7 Relevance: 7.7, APIs: 5, Instructions: 188COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F3B
                                                    • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 004514D3
                                                    • IsValidCodePage.KERNEL32(00000000), ref: 0045152E
                                                    • IsValidLocale.KERNEL32(?,00000001), ref: 0045153D
                                                    • GetLocaleInfoW.KERNEL32(?,00001001,00443CFC,00000040,?,00443E1C,00000055,00000000,?,?,00000055,00000000), ref: 00451585
                                                    • GetLocaleInfoW.KERNEL32(?,00001002,00443D7C,00000040), ref: 004515A4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                                                    • String ID:
                                                    • API String ID: 745075371-0
                                                    • Opcode ID: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                    • Instruction ID: 411f265c59fe6ea8e7a4a7f389aa671ff947d679512e0c94986e3a05ae8bdf1c
                                                    • Opcode Fuzzy Hash: 5c8e94395c66df2641350def7a129c2a5847567c9c00908226c609ff7e549d11
                                                    • Instruction Fuzzy Hash: 4951B331900205ABDB20EFA5CC41BBF73B8AF05306F14456BFD11DB262D7789948CB69
                                                    Function 00407A8C Relevance: 7.7, APIs: 5, Instructions: 183fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00407A91
                                                    • FindFirstFileW.KERNEL32(00000000,?,00465AA0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B4A
                                                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407B6E
                                                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407C76
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Find$File$CloseFirstH_prologNext
                                                    • String ID:
                                                    • API String ID: 1157919129-0
                                                    • Opcode ID: e8fc1aae19a95acc5e5ba4988fa9a3d6b6627a504d1d70c366dbdaaaee21e51e
                                                    • Instruction ID: 8d2d5af9b240bd76912c5a42ed9d01478aca41623b4ca31e05b92188a1ecdcc3
                                                    • Opcode Fuzzy Hash: e8fc1aae19a95acc5e5ba4988fa9a3d6b6627a504d1d70c366dbdaaaee21e51e
                                                    • Instruction Fuzzy Hash: EE5172329041089ACB14FBA5DD969ED7778AF50318F50017EB806B31D2EF3CAB498B99
                                                    Function 0044801F Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448089
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448101
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044812E
                                                    • _free.LIBCMT ref: 00448077
                                                      • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                                      • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                                    • _free.LIBCMT ref: 00448243
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                                                    • String ID:
                                                    • API String ID: 1286116820-0
                                                    • Opcode ID: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                    • Instruction ID: 9f73030e0ab81e705d7e97d576e5185c64763d3f00745452c155363557a16cba
                                                    • Opcode Fuzzy Hash: c081d488f34b9915cd9b048b6b498da186ffe618eda021c7ed3f66206b9427ec
                                                    • Instruction Fuzzy Hash: 97512A718002099BE714EF69CC829BF77BCEF44364F11026FE454A32A1EB389E46CB58
                                                    Function 00406128 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406234
                                                    • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406318
                                                    Strings
                                                    • open, xrefs: 0040622E
                                                    • C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, xrefs: 0040627F, 004063A7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DownloadExecuteFileShell
                                                    • String ID: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe$open
                                                    • API String ID: 2825088817-2771853975
                                                    • Opcode ID: b67075259e0bd929e0ab264c94f4d1ca59ca1de50cdaeebcdd70e2622b8f7750
                                                    • Instruction ID: ed092bbb38966d98691ab8c1252c2e533cce500cde7a5ae80e96292b959be8c1
                                                    • Opcode Fuzzy Hash: b67075259e0bd929e0ab264c94f4d1ca59ca1de50cdaeebcdd70e2622b8f7750
                                                    • Instruction Fuzzy Hash: AC61A231604340A7CA14FA76C8569BE77A69F81718F00493FBC46772E6EF3C9A05C69B
                                                    Function 00406AC2 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 86fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ADD
                                                    • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406BA5
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileFind$FirstNextsend
                                                    • String ID: x@G$x@G
                                                    • API String ID: 4113138495-3390264752
                                                    • Opcode ID: 21733312e49eae253e2bcb47d9c134556802c5ae893f427082e78e5a185c5d5d
                                                    • Instruction ID: 69ed09b71aae528489a15fdfe73527b1f784865601dfee234b785914c9021214
                                                    • Opcode Fuzzy Hash: 21733312e49eae253e2bcb47d9c134556802c5ae893f427082e78e5a185c5d5d
                                                    • Instruction Fuzzy Hash: 4D2147725043015BC714FB61D8959AF77A8AFD1358F40093EF996A31D1EF38AA088A9B
                                                    Function 0041BB87 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SystemParametersInfoW.USER32(00000014,00000000,00000000,00000003), ref: 0041BC7C
                                                      • Part of subcall function 004126D2: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 004126E1
                                                      • Part of subcall function 004126D2: RegSetValueExA.KERNEL32(?,HgF,00000000,?,00000000,00000000,004742F8,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412709
                                                      • Part of subcall function 004126D2: RegCloseKey.KERNEL32(?,?,?,0040E5FB,00466748,5.3.0 Pro), ref: 00412714
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseCreateInfoParametersSystemValue
                                                    • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                                                    • API String ID: 4127273184-3576401099
                                                    • Opcode ID: 3d360fdf2e78990b0619b3c2804760803c56fcbcebbcac8b827f4f8c51bc1c9b
                                                    • Instruction ID: f939710b15fdea32ddc266fac7b70a3034aa980cea7cdc9a443a85228e3c1b8e
                                                    • Opcode Fuzzy Hash: 3d360fdf2e78990b0619b3c2804760803c56fcbcebbcac8b827f4f8c51bc1c9b
                                                    • Instruction Fuzzy Hash: 69113332B8060433D514343A4E6FBAE1806D756B60FA4015FF6026A7DAFB9E4AE103DF
                                                    Function 00450A8F Relevance: 6.2, APIs: 4, Instructions: 236COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443D03,?,?,?,?,?,?,00000004), ref: 00450B71
                                                    • _wcschr.LIBVCRUNTIME ref: 00450C01
                                                    • _wcschr.LIBVCRUNTIME ref: 00450C0F
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,00443D03,00000000,00443E23), ref: 00450CB2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                                                    • String ID:
                                                    • API String ID: 4212172061-0
                                                    • Opcode ID: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                    • Instruction ID: 5c43a781d12153ba09aec0d98fe41cbdfc67d130b552f984b55d9713d4fa54bc
                                                    • Opcode Fuzzy Hash: 11e9d858be2eef57e51fe3ee5abaff11ba74f3cf781d1ad02b19bd3dc5989495
                                                    • Instruction Fuzzy Hash: 8C613C39600306AAD729AB35CC42AAB7398EF05316F14052FFD05D7283E778ED49C769
                                                    Function 00408DA7 Relevance: 6.2, APIs: 4, Instructions: 206fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 00408DAC
                                                    • FindFirstFileW.KERNEL32(00000000,?), ref: 00408E24
                                                    • FindNextFileW.KERNEL32(00000000,?), ref: 00408E4D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileFind$FirstH_prologNext
                                                    • String ID:
                                                    • API String ID: 301083792-0
                                                    • Opcode ID: ba71cde6abd387c0af899193430974a98498f8e11ae542d92e598f3d86220441
                                                    • Instruction ID: f05055f275ce1a6697326a6dce2c5e98ec7bccfbf1b509f624b4afbba7a31620
                                                    • Opcode Fuzzy Hash: ba71cde6abd387c0af899193430974a98498f8e11ae542d92e598f3d86220441
                                                    • Instruction Fuzzy Hash: 08714F728001199BCB15EBA1DC919EE7778AF54318F10427FE846B71E2EF386E45CB98
                                                    Function 00450E7A Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F3B
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450ECE
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450F1F
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450FDF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorInfoLastLocale$_free$_abort
                                                    • String ID:
                                                    • API String ID: 2829624132-0
                                                    • Opcode ID: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                    • Instruction ID: f4db154689a757c669ee29d9ad80dc5f2d25de97e2fa36f56d0a3b4566e2e889
                                                    • Opcode Fuzzy Hash: 022617d048d67c565bd8cd478daba609af81f9e307d0efc84ddd0a3e182c2dec
                                                    • Instruction Fuzzy Hash: 5261B3359002079BEB289F24CC82B7A77A8EF04706F1041BBED05C6696E77CD989DB58
                                                    Function 0043A66D Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • IsDebuggerPresent.KERNEL32(?,?,?,?,?,0000000A), ref: 0043A765
                                                    • SetUnhandledExceptionFilter.KERNEL32(00000000,?,?,?,?,?,0000000A), ref: 0043A76F
                                                    • UnhandledExceptionFilter.KERNEL32(?,?,?,?,?,?,0000000A), ref: 0043A77C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                                                    • String ID:
                                                    • API String ID: 3906539128-0
                                                    • Opcode ID: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                    • Instruction ID: 91e5dab5071ea2c3d468f992cf6309450941867bc48944ec1b7f80ed58ec6f75
                                                    • Opcode Fuzzy Hash: 3fa352bae2dd0906ed67bad857870cf194ce26166e1b5da63b4ea542d53f5057
                                                    • Instruction Fuzzy Hash: 4A31D27494132CABCB21DF24D98979DBBB8AF08310F5051EAE80CA7261E7349F81CF49
                                                    Function 00442564 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(?,?,0044253A,?,0046DAE0,0000000C,00442691,?,00000002,00000000), ref: 00442585
                                                    • TerminateProcess.KERNEL32(00000000,?,0044253A,?,0046DAE0,0000000C,00442691,?,00000002,00000000), ref: 0044258C
                                                    • ExitProcess.KERNEL32 ref: 0044259E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$CurrentExitTerminate
                                                    • String ID:
                                                    • API String ID: 1703294689-0
                                                    • Opcode ID: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                    • Instruction ID: c44577b837509f0b32c3b0b508549cfe19acceb0599f6adc3fd698849a85d96e
                                                    • Opcode Fuzzy Hash: 7c471b5b7a391410b3ce269feae26e49b4a02911a71997b74fd7744fcc246e6d
                                                    • Instruction Fuzzy Hash: 68E08C31004208BFEF016F10EE19A8D3F29EF14382F448475F8098A232CB79DD82CB88
                                                    Function 0041ACD1 Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150C3,00000000), ref: 0041ACDC
                                                    • NtSuspendProcess.NTDLL(00000000), ref: 0041ACE9
                                                    • CloseHandle.KERNEL32(00000000,?,?,004150C3,00000000), ref: 0041ACF2
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$CloseHandleOpenSuspend
                                                    • String ID:
                                                    • API String ID: 1999457699-0
                                                    • Opcode ID: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                    • Instruction ID: 2f9544719979d624048292b5ab27ab43be47c8216fe5e38c5e6db7c07fdef43b
                                                    • Opcode Fuzzy Hash: 25604720b1c4003eaa4d94084830c6d0564ffd887a8d5c6f711170065f3891c4
                                                    • Instruction Fuzzy Hash: 36D0A733505132638221176A7C0CC87EE6CDFC1EB37024136F805C3220DE30C88186F4
                                                    Function 0041ACFD Relevance: 4.5, APIs: 3, Instructions: 19nativeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenProcess.KERNEL32(00000800,00000000,00000000,?,?,004150E8,00000000), ref: 0041AD08
                                                    • NtResumeProcess.NTDLL(00000000), ref: 0041AD15
                                                    • CloseHandle.KERNEL32(00000000,?,?,004150E8,00000000), ref: 0041AD1E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$CloseHandleOpenResume
                                                    • String ID:
                                                    • API String ID: 3614150671-0
                                                    • Opcode ID: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                    • Instruction ID: 37c2ac379339410306f7c92c5038f8fbeac8a1766455cc2515cdfea107740f35
                                                    • Opcode Fuzzy Hash: ac01971c7a5820b8bc970b7b2339e0980474906f6b9316b65cb607f099f400ad
                                                    • Instruction Fuzzy Hash: 3AD05E32504121638220176A7C0C887EEA9DBC5AB37024236F804C26219A24C841C6A4
                                                    Function 0044D5F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: .
                                                    • API String ID: 0-248832578
                                                    • Opcode ID: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                    • Instruction ID: 7b9f70a4ed7410ef06f95e01b7d5f23a490d2b0eff2bca8ad8bf22ff3bb6f1ff
                                                    • Opcode Fuzzy Hash: 97cc3c3166f0870dddbca3780dbfd7dbd2d9d0e9e098b336076252ce6a3ce59f
                                                    • Instruction Fuzzy Hash: 65310371C00209AFEB249E79CC84EEB7BBDDB86318F1501AEF91997351E6389E418B54
                                                    Function 004475A7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,?,?,00000004), ref: 004475FA
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InfoLocale
                                                    • String ID: GetLocaleInfoEx
                                                    • API String ID: 2299586839-2904428671
                                                    • Opcode ID: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                    • Instruction ID: 2e67eb2aa2785e7236de0a8104ca96919387e7076f6eaa21777fcb5c897bf932
                                                    • Opcode Fuzzy Hash: 8dab955c83ead38f4190d8cd68b3baa1d28bcda2227728d0cef18aa89ebed625
                                                    • Instruction Fuzzy Hash: F8F0F031A44308BBDB11AF61DC06F6E7B25EF04722F10016AFC042A292CF399E11969E
                                                    Function 00440E30 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                    • Instruction ID: 147a43d4a8953c0e587c79f7e81ca7cf09075d603a4ca368f499ea5921ccbf25
                                                    • Opcode Fuzzy Hash: 5fe4b2cb4502993dbea9aed901accaaf97bf6201a09a40e91719f5fde44f0d4f
                                                    • Instruction Fuzzy Hash: DB026D71E002199FEF14CFA9C8806AEBBF1FF88314F25826AD919E7354D774A941CB84
                                                    Function 004520E2 Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,004520DD,?,?,00000008,?,?,00455422,00000000), ref: 0045230F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExceptionRaise
                                                    • String ID:
                                                    • API String ID: 3997070919-0
                                                    • Opcode ID: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                    • Instruction ID: 977e517564c3c3d0049d1222f3e9a6889a5c410b4df8a0f985261284c0187219
                                                    • Opcode Fuzzy Hash: 10c23660bdf4a559c67b3dd21211c83afc8534fe451efaff8b0d30b37073b707
                                                    • Instruction Fuzzy Hash: D2B18E311106088FD715CF28C586B567BE0FF06325F25869AEC99CF2A2C379E986CB44
                                                    Function 00432A59 Relevance: 1.8, Strings: 1, Instructions: 500COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0
                                                    • API String ID: 0-4108050209
                                                    • Opcode ID: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                    • Instruction ID: 7b48c7cdb8adeeef677579d9f9868b7c31ff68b1fdc55a4cfb84755b90803176
                                                    • Opcode Fuzzy Hash: d7e2f1edd223cd44d70c9618c0c5ab444609e4c73f269a0cd31c5ec718f0b721
                                                    • Instruction Fuzzy Hash: 7F02B3727083014BD714DF29D95272EF3E2BFCC718F19592EF4859B381DA78A9058B86
                                                    Function 004510CA Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F2E
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F3B
                                                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 0045111E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$_free$InfoLocale_abort
                                                    • String ID:
                                                    • API String ID: 1663032902-0
                                                    • Opcode ID: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                    • Instruction ID: ffb89f5268d48ef7d96d62573a9e7ee2f0935f0833e1875b56c64ac51f5bdf94
                                                    • Opcode Fuzzy Hash: 9286f156abac91c7ed9d9ee6f3e5b08bc3c26a4b89b9db52a82557d4143127a2
                                                    • Instruction Fuzzy Hash: BB21B332500606ABEB249E25DC42B7B73A8EF49316F1041BBFE01D6252EB7C9D49C759
                                                    Function 00450D52 Relevance: 1.6, APIs: 1, Instructions: 63COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                    • EnumSystemLocalesW.KERNEL32(00450E7A,00000001,00000000,?,00443CFC,?,004514A7,00000000,?,?,?), ref: 00450DC4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                    • String ID:
                                                    • API String ID: 1084509184-0
                                                    • Opcode ID: d99188ff6ee540699b39099ab73947b80cac50bc1a66931b919ed4136ee52686
                                                    • Instruction ID: a560303710cbb7e2025c6fde9de160b8e713eede11b464f6c41b4ad7cf2026db
                                                    • Opcode Fuzzy Hash: d99188ff6ee540699b39099ab73947b80cac50bc1a66931b919ed4136ee52686
                                                    • Instruction Fuzzy Hash: 0311063A2003055FDB189F79C8916BAB7A2FF8035AB14442DE94647741D375B846C744
                                                    Function 004512FA Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00451098,00000000,00000000,?), ref: 00451326
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$InfoLocale_abort_free
                                                    • String ID:
                                                    • API String ID: 2692324296-0
                                                    • Opcode ID: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                    • Instruction ID: 4a7b2d8eee9e9bf1806ba2ca5426cfe5ee0bfa5d6ba01d855eb6d5500f899482
                                                    • Opcode Fuzzy Hash: b6b1206c8d774c000a1b4b507e47eef55c4aaf57ff81984432bbf3fd36f42e7a
                                                    • Instruction Fuzzy Hash: F8F07D32900211BBEF245B25CC16BFB7758EF40316F14046BEC05A3651EA78FD45C6D8
                                                    Function 00450DED Relevance: 1.5, APIs: 1, Instructions: 42COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                    • EnumSystemLocalesW.KERNEL32(004510CA,00000001,?,?,00443CFC,?,0045146B,00443CFC,?,?,?,?,?,00443CFC,?,?), ref: 00450E39
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                    • String ID:
                                                    • API String ID: 1084509184-0
                                                    • Opcode ID: abe90ec02cc7fcff172fc53912aae85a85386d507e0dedff0ae7f670b1f5ef6c
                                                    • Instruction ID: d200f6f198282f27697ffa375fc43d462b62b5ac62e6196a1a4f0d3fe89d4a8d
                                                    • Opcode Fuzzy Hash: abe90ec02cc7fcff172fc53912aae85a85386d507e0dedff0ae7f670b1f5ef6c
                                                    • Instruction Fuzzy Hash: 6FF0223A2003055FDB145F3ADC92A7B7BD1EF81329B25883EFD458B681D2759C428604
                                                    Function 004470BE Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00444ADC: EnterCriticalSection.KERNEL32(-00471558,?,0044226B,00000000,0046DAC0,0000000C,00442226,0000000A,?,?,00448749,0000000A,?,00446F84,00000001,00000364), ref: 00444AEB
                                                    • EnumSystemLocalesW.KERNEL32(00447078,00000001,0046DC48,0000000C), ref: 004470F6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalEnterEnumLocalesSectionSystem
                                                    • String ID:
                                                    • API String ID: 1272433827-0
                                                    • Opcode ID: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
                                                    • Instruction ID: 950dafe7846e52006e44ffeb80a247b0be4aa16561b4e62d8165e672452c2196
                                                    • Opcode Fuzzy Hash: d6288f75061eb918828b1d19c4fc55d59e88b5aa2809351af96f283ddca40410
                                                    • Instruction Fuzzy Hash: 86F04932A50200DFE714EF68EC06B5D37B0EB44729F10856AF414DB2A1CBB88941CB49
                                                    Function 00450D07 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                    • EnumSystemLocalesW.KERNEL32(00450C5E,00000001,?,?,?,004514C9,00443CFC,?,?,?,?,?,00443CFC,?,?,?), ref: 00450D3E
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                                                    • String ID:
                                                    • API String ID: 1084509184-0
                                                    • Opcode ID: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
                                                    • Instruction ID: 864766c87332746f2956c71e591744750bfae77d4df159f99123e8476a767ca9
                                                    • Opcode Fuzzy Hash: 7c1b61f81489e07a7731e6ad51784a2f83adb3e1c219b5a3241bb94100a853af
                                                    • Instruction Fuzzy Hash: 94F05C3D30020557CB159F75D8057667F90EFC2711B164059FE098B242C675D846C754
                                                    Function 00433CE7 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetUnhandledExceptionFilter.KERNEL32(Function_00033CF3,004339C1), ref: 00433CEC
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExceptionFilterUnhandled
                                                    • String ID:
                                                    • API String ID: 3192549508-0
                                                    • Opcode ID: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
                                                    • Instruction ID: 7ebf6c7408a73aa63663f0c3c7f2b2a2f8c8f4297a3c6ea18d4629481275dad6
                                                    • Opcode Fuzzy Hash: 551eff1786ed7eea90e54ff57207cf7fab7a3a56cebbc38fe8a2595e13bdd047
                                                    • Instruction Fuzzy Hash:
                                                    Function 0043CE4B Relevance: 1.5, Strings: 1, Instructions: 237COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: BG3i@
                                                    • API String ID: 0-2407888476
                                                    • Opcode ID: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                    • Instruction ID: 1d57165ebf75e2395586178747a5147ed71ba924114eacc5dbe4d8b8235841a2
                                                    • Opcode Fuzzy Hash: da6bc0b681a35a8a8cd82b5b62752965acc1f5aabf11132faead2372da36057a
                                                    • Instruction Fuzzy Hash: CF615771600605AADB386A2898D6BBF63A6EB4D718F10391BE543FB3C1D71DDD42831E
                                                    Function 0043CC1C Relevance: 1.5, Strings: 1, Instructions: 214COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 0
                                                    • API String ID: 0-4108050209
                                                    • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                    • Instruction ID: b96fbfb60640764a27c773ebaff073e85ef5750e910638ac9767c22e4461be8a
                                                    • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                                                    • Instruction Fuzzy Hash: 485168716006045BDB34466885DA7BF6B959B0E704F18352FE48AFB382C61EEE02975E
                                                    Function 00426E83 Relevance: 1.3, Strings: 1, Instructions: 96COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: @
                                                    • API String ID: 0-2766056989
                                                    • Opcode ID: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                    • Instruction ID: 2dad8dda13a96ac29719e0110185aa8107b7b917685da963ee6e6edef41cb95d
                                                    • Opcode Fuzzy Hash: 277f5b14ebfb31d9acdfcb19b599133ffeee57438103c682c3dacb2c81b16d7f
                                                    • Instruction Fuzzy Hash: C3416576A183158FC314CF29D18061BFBE1FBC8314F568A2EF99693350D679E980CB86
                                                    Function 00437160 Relevance: 1.3, Strings: 1, Instructions: 76COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: >G
                                                    • API String ID: 0-1296849874
                                                    • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                    • Instruction ID: aab5066b8351c21b9abf1b6184216a89ccb323a2d5e30b0bcb97f0d730efd77d
                                                    • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                                                    • Instruction Fuzzy Hash: 08112BF724808243DE74863DC8B46B7A795EBCD321F2C637BD0C14BB58D32A99459908
                                                    Function 0044E93E Relevance: 1.3, APIs: 1, Instructions: 5memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: HeapProcess
                                                    • String ID:
                                                    • API String ID: 54951025-0
                                                    • Opcode ID: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                    • Instruction ID: 9504a653bcf427532d5064532c05f1d04939bb5561e35e6535c2a7eba45b7a60
                                                    • Opcode Fuzzy Hash: c4eeb5daf7d20212f04cf1a35fe49476965deb7007d4ee0647dc212291e34da0
                                                    • Instruction Fuzzy Hash: 84A00270506201CB57404F756F0525937D9654559170580755409C5571D62585905615
                                                    Function 0044C749 Relevance: .6, Instructions: 637COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                    • Instruction ID: ab2fb9cf530b2f7fc05e48a1b2542d0b548931935014995ce621e12a70c45bd8
                                                    • Opcode Fuzzy Hash: b5ca945c73f96586680b794a2cfc8b55e8f7bc2f58380cec5295694457d85c5e
                                                    • Instruction Fuzzy Hash: D6324621D29F414DE7639634C862336A649AFB73C5F18D737E81AB5AAAEF2CC4C34105
                                                    Function 0041E5EF Relevance: .6, Instructions: 606COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 56ea352148e3c774f87dcc4cf0de5d49bee8f4798448973f894b3d9cfc24b1ba
                                                    • Instruction ID: 00ae404e09403cbabe28ca0a0a4d3aceb2ea5bd9e999d2a250848967357f0a7a
                                                    • Opcode Fuzzy Hash: 56ea352148e3c774f87dcc4cf0de5d49bee8f4798448973f894b3d9cfc24b1ba
                                                    • Instruction Fuzzy Hash: E532E3796083469BD714CF2AC4807ABB7E1BF84304F444A2EFC958B381D778DD858B8A
                                                    Function 004267DB Relevance: .4, Instructions: 437COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 63c6752c91fa09a59911cbec739b695d928ea4d41f79e3f210d04f564ca51bf4
                                                    • Instruction ID: 9583adf114605d02d5e2e19679ce9bf42d3b47f395d82ba1fcfe18c7509b5e77
                                                    • Opcode Fuzzy Hash: 63c6752c91fa09a59911cbec739b695d928ea4d41f79e3f210d04f564ca51bf4
                                                    • Instruction Fuzzy Hash: 59028E717046518FD318CF2EE880536B7E1AF8E301B46867EE586C7391EB34E922CB95
                                                    Function 00426264 Relevance: .4, Instructions: 377COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5fde6092dbaeb595df6386206e95cc36bec498aab372ae6033ef90cb0bf67f56
                                                    • Instruction ID: 08c65c0034c77f162a5e2f762c8ff88aaa906a6fc17fd64b80a7c511c0c0ca56
                                                    • Opcode Fuzzy Hash: 5fde6092dbaeb595df6386206e95cc36bec498aab372ae6033ef90cb0bf67f56
                                                    • Instruction Fuzzy Hash: A3F14B716142548FC314DF1DE89187B73E0BB8A301B460A2EF5C2D7392DB78EA1ADB56
                                                    Function 00431387 Relevance: .4, Instructions: 371COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 60a407b7035b458234a1b4ae8876206eb8531d1806f2b32c6b298a9738e91288
                                                    • Instruction ID: 6072d2ab819a24c58290f472cacd0ace346509952e007a1e49c4d5c76d6a9cd3
                                                    • Opcode Fuzzy Hash: 60a407b7035b458234a1b4ae8876206eb8531d1806f2b32c6b298a9738e91288
                                                    • Instruction Fuzzy Hash: 90D1BF71A083558BC724DE29C88096FB7E4FF88354F442A2EF89597320EB38DD05CB86
                                                    Function 0041D081 Relevance: .3, Instructions: 276COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                    • Instruction ID: b3ed2c0ab3c8a1cf02cd55a458d72155988f8fbc7d55d27d708debdf014431d3
                                                    • Opcode Fuzzy Hash: e7326b31f45d4e50c8c50174bee11f9882207dfed74e31d12f4697374e1987de
                                                    • Instruction Fuzzy Hash: AEB1A17951429A8ACB01EF68C4913F63BA1EF6A300F4850B9EC9CCF757D3398506EB24
                                                    Function 00436A9D Relevance: .3, Instructions: 254COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                    • Instruction ID: 74e2ef470e0f7eaec2bbcc97644f24ba1b58e581bc817aa34aafa8545d81d3a7
                                                    • Opcode Fuzzy Hash: 93657a121f16255c59120ad0d08fdbba6372c273009ad596b4ecdf6e8f3c6909
                                                    • Instruction Fuzzy Hash: D791A8722080A319D72D423E847403FFFE19A563A1B1BA79FD4F2CB2C5EE18D565DA24
                                                    Function 00436D58 Relevance: .2, Instructions: 244COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                    • Instruction ID: 8d8b5119396e2834e670033089963a3e86919695436a47c170bc2bcb8e078ffc
                                                    • Opcode Fuzzy Hash: 05e0b846b00456d0f1e87463b9d189974beed2fe63262d4392584e128a114ea2
                                                    • Instruction Fuzzy Hash: A691A7762080E35DDB294639843403FFFE15A563A1B1B67AFE4F2CB2C5EE18C568D624
                                                    Function 004367D6 Relevance: .2, Instructions: 240COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                    • Instruction ID: eaa300f4f162f1acbdde4decff541324e593f013a6a572b7afaac19ec25842a6
                                                    • Opcode Fuzzy Hash: 40101273f58913c3cb3bc7eb54df01d47b4121c3e67d19f11ec2cb23d33ea445
                                                    • Instruction Fuzzy Hash: F99195722090A319DB2D4239843403FFFE15E5A3A1B1BA79FD4F2CB2C5EE28C564D624
                                                    Function 0043D0A8 Relevance: .2, Instructions: 237COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                    • Instruction ID: 9b9e3495b2600b5bb57a0f881f66ff577775c96cdfa749367535f2d08535ee8a
                                                    • Opcode Fuzzy Hash: dcaaf3a538fb6447e3283ddd15f45a67438a23807e0f4513107e056d33e47a72
                                                    • Instruction Fuzzy Hash: A3615871E0060867DE386928BC56BBF63A9EB4D304F14395BE883DB381C65DDD42835E
                                                    Function 0043652C Relevance: .2, Instructions: 232COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                    • Instruction ID: 82e4230dd5615ab793e8164ae3cdd09518d68db03ee48e672ae2bd39712f48c3
                                                    • Opcode Fuzzy Hash: 70da388f96bbbf26b230a155b4728740b34f0d100ea60ab2bbadb9d7d0befbf0
                                                    • Instruction Fuzzy Hash: FF81EA722080A31DDB2D4239853803FFFE15A563A5B1BA7AFD4F2CB2C5EE18C564D624
                                                    Function 0043C9ED Relevance: .2, Instructions: 214COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                    • Instruction ID: 1ecc17c6f396bdcf1bd7e257d91ac660bf1aa2674e3e23ad4d3769e79eae6022
                                                    • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                                                    • Instruction Fuzzy Hash: 9751647160460D4BDB34EA6895E77BFA3899B0E344F18350BE582F7782C61DAD02939E
                                                    Function 00426FBD Relevance: .2, Instructions: 186COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: aab2813c665c480545fef87c0c14cb93031e59ded8cfa1b4e39f94410d0708d9
                                                    • Instruction ID: 630ecb88457be3648657eb57e3c78cf78304789516621443522bf01dd35d6fbf
                                                    • Opcode Fuzzy Hash: aab2813c665c480545fef87c0c14cb93031e59ded8cfa1b4e39f94410d0708d9
                                                    • Instruction Fuzzy Hash: 81616F32A083159FC308DF75E581A5BB7E5BFCC718F450E1EF489DA151E634EA088B86
                                                    Function 00417FAF Relevance: 52.8, APIs: 29, Strings: 1, Instructions: 324windowmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417FC9
                                                    • CreateCompatibleDC.GDI32(00000000), ref: 00417FD4
                                                      • Part of subcall function 00418462: EnumDisplaySettingsW.USER32(?,000000FF,?), ref: 00418492
                                                    • CreateCompatibleBitmap.GDI32(?,00000000), ref: 00418055
                                                    • DeleteDC.GDI32(?), ref: 0041806D
                                                    • DeleteDC.GDI32(00000000), ref: 00418070
                                                    • SelectObject.GDI32(00000000,00000000), ref: 0041807B
                                                    • StretchBlt.GDI32(00000000,00000000,00000000,00000000,?,?,?,?,00000000,?,00CC0020), ref: 004180A3
                                                    • GetCursorInfo.USER32(?), ref: 004180C5
                                                    • GetIconInfo.USER32(?,?), ref: 004180DB
                                                    • DeleteObject.GDI32(?), ref: 0041810A
                                                    • DeleteObject.GDI32(?), ref: 00418117
                                                    • DrawIcon.USER32(00000000,?,?,?), ref: 00418124
                                                    • BitBlt.GDI32(00000000,00000000,00000000,00000000,?,00000000,00000000,00000000,00660046), ref: 00418154
                                                    • GetObjectA.GDI32(?,00000018,?), ref: 00418183
                                                    • LocalAlloc.KERNEL32(00000040,00000028), ref: 004181CC
                                                    • LocalAlloc.KERNEL32(00000040,00000001), ref: 004181EF
                                                    • GlobalAlloc.KERNEL32(00000000,?), ref: 00418258
                                                    • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041827B
                                                    • DeleteDC.GDI32(?), ref: 0041828F
                                                    • DeleteDC.GDI32(00000000), ref: 00418292
                                                    • DeleteObject.GDI32(00000000), ref: 00418295
                                                    • GlobalFree.KERNEL32(00CC0020), ref: 004182A0
                                                    • DeleteObject.GDI32(00000000), ref: 00418354
                                                    • GlobalFree.KERNEL32(?), ref: 0041835B
                                                    • DeleteDC.GDI32(?), ref: 0041836B
                                                    • DeleteDC.GDI32(00000000), ref: 00418376
                                                    • DeleteDC.GDI32(?), ref: 004183A8
                                                    • DeleteDC.GDI32(00000000), ref: 004183AB
                                                    • DeleteObject.GDI32(?), ref: 004183B1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Delete$Object$AllocCreateGlobal$CompatibleFreeIconInfoLocal$BitmapBitsCursorDisplayDrawEnumSelectSettingsStretch
                                                    • String ID: DISPLAY
                                                    • API String ID: 1352755160-865373369
                                                    • Opcode ID: 4332875b330b260fe317f73885a67b787bcc9eef3312130aa5211c7270dddff5
                                                    • Instruction ID: 6b2ada92df8522405a2cca839f58df11a8e30ba3d3d74bda048dad66fb1953bf
                                                    • Opcode Fuzzy Hash: 4332875b330b260fe317f73885a67b787bcc9eef3312130aa5211c7270dddff5
                                                    • Instruction Fuzzy Hash: 39C17C71508344AFD3209F25DC44BABBBE9FF88751F04092EF989932A1DB34E945CB5A
                                                    Function 00417245 Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 290libraryloaderthreadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 0041728C
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0041728F
                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 004172A0
                                                    • GetProcAddress.KERNEL32(00000000), ref: 004172A3
                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 004172B4
                                                    • GetProcAddress.KERNEL32(00000000), ref: 004172B7
                                                    • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 004172C8
                                                    • GetProcAddress.KERNEL32(00000000), ref: 004172CB
                                                    • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000004,00000000,00000000,?,?), ref: 0041736C
                                                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 00417384
                                                    • GetThreadContext.KERNEL32(?,00000000), ref: 0041739A
                                                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 004173C0
                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00417440
                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 00417454
                                                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041748B
                                                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 00417558
                                                    • SetThreadContext.KERNEL32(?,00000000), ref: 00417575
                                                    • ResumeThread.KERNEL32(?), ref: 00417582
                                                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041759A
                                                    • GetCurrentProcess.KERNEL32(?), ref: 004175A5
                                                    • TerminateProcess.KERNEL32(?,00000000), ref: 004175BF
                                                    • GetLastError.KERNEL32 ref: 004175C7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                                                    • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                                                    • API String ID: 4188446516-3035715614
                                                    • Opcode ID: 0508007fc5a19f335f37bc9d6881170284180ec94406780ecb3836aa2a2a6048
                                                    • Instruction ID: 2a1bc7bdc729258c18c32f0bb95ec7660c06bfb5025054df3919bc75ccc59624
                                                    • Opcode Fuzzy Hash: 0508007fc5a19f335f37bc9d6881170284180ec94406780ecb3836aa2a2a6048
                                                    • Instruction Fuzzy Hash: DFA17CB1508304AFD7209F65DC45B6B7BF9FF48345F00082AF689C2661E779E984CB6A
                                                    Function 004112B5 Relevance: 43.9, APIs: 17, Strings: 8, Instructions: 189synchronizationsleepfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,004742F8,?,00000000), ref: 004112D4
                                                    • ExitProcess.KERNEL32 ref: 0041151D
                                                      • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                      • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                      • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                      • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000,?,?,?,?,00000000), ref: 0041135B
                                                    • OpenProcess.KERNEL32(00100000,00000000,T@,?,?,?,?,00000000), ref: 0041136A
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 00411375
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 0041137C
                                                    • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 00411382
                                                      • Part of subcall function 004127D5: RegCreateKeyA.ADVAPI32(80000001,00000000,TUF), ref: 004127E3
                                                      • Part of subcall function 004127D5: RegSetValueExA.KERNEL32(TUF,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 004127FE
                                                      • Part of subcall function 004127D5: RegCloseKey.KERNEL32(?,?,?,?,0040B94C,004660E0,00000001,000000AF,00465554), ref: 00412809
                                                    • PathFileExistsW.SHLWAPI(?,?,?,?,?,00000000), ref: 004113B3
                                                    • GetTempPathW.KERNEL32(00000104,?,?,?,?,?,?,?,?,00000000), ref: 0041140F
                                                    • GetTempFileNameW.KERNEL32(?,temp_,00000000,?,?,?,?,?,?,?,?,00000000), ref: 00411429
                                                    • lstrcatW.KERNEL32(?,.exe,?,?,?,?,?,?,?,00000000), ref: 0041143B
                                                      • Part of subcall function 0041B59F: SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,0040A009,?,00000000,00000000), ref: 0041B5FB
                                                      • Part of subcall function 0041B59F: WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,0040A009,?,00000000,00000000), ref: 0041B60F
                                                      • Part of subcall function 0041B59F: CloseHandle.KERNEL32(00000000,?,0040A009,?,00000000,00000000), ref: 0041B61C
                                                    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411483
                                                    • Sleep.KERNEL32(000001F4,?,?,?,?,00000000), ref: 004114C4
                                                    • OpenProcess.KERNEL32(00100000,00000000,?,?,?,?,?,00000000), ref: 004114D9
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,?,?,?,?,00000000), ref: 004114E4
                                                    • CloseHandle.KERNEL32(00000000,?,?,?,?,00000000), ref: 004114EB
                                                    • GetCurrentProcessId.KERNEL32(?,?,?,?,00000000), ref: 004114F1
                                                      • Part of subcall function 0041B59F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6B5,00000000,00000000,?), ref: 0041B5DE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$CloseCreateProcess$HandleOpen$CurrentObjectPathSingleTempValueWait$ExecuteExistsExitMutexNamePointerQueryShellSleepWritelstrcat
                                                    • String ID: .exe$0DG$@CG$T@$WDH$exepath$open$temp_
                                                    • API String ID: 4250697656-2665858469
                                                    • Opcode ID: 5dbcded7602185ea070b480d70fb33acaad7b421ae312c9c840d883bd3e5244d
                                                    • Instruction ID: e3cce03e36166c77d6950284f165d3805ee2b23d785f43ba83868d4dcf2b0e5d
                                                    • Opcode Fuzzy Hash: 5dbcded7602185ea070b480d70fb33acaad7b421ae312c9c840d883bd3e5244d
                                                    • Instruction Fuzzy Hash: 1651B671A043156BDB00A7A0AC49EFE736D9B44715F1041BBF905A72D2EF7C8E828A9D
                                                    Function 0040C28E Relevance: 42.3, APIs: 6, Strings: 18, Instructions: 282registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                      • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040C38B
                                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C39E
                                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040C3B7
                                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040C3E7
                                                      • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                      • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                      • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                      • Part of subcall function 0041B59F: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041B6B5,00000000,00000000,?), ref: 0041B5DE
                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C632
                                                    • ExitProcess.KERNEL32 ref: 0040C63E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                    • String ID: """, 0$")$@CG$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                                                    • API String ID: 1861856835-3168347843
                                                    • Opcode ID: 81cba6c041354eceecb35cbe1aab922463b30a6c1d9d93050eacf49432977c0c
                                                    • Instruction ID: 0897204671ac35a997fd8cee39da091aa0ef4b51e820d3179f4d1f6ac17f39c2
                                                    • Opcode Fuzzy Hash: 81cba6c041354eceecb35cbe1aab922463b30a6c1d9d93050eacf49432977c0c
                                                    • Instruction Fuzzy Hash: CD9184316042005AC314FB25D852ABF7799AF91318F10453FF98AA31E2EF7CAD49C69E
                                                    Function 0041A1CB Relevance: 42.2, APIs: 12, Strings: 12, Instructions: 180synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 0041A2C2
                                                    • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 0041A2D6
                                                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00465554), ref: 0041A2FE
                                                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00473EE8,00000000), ref: 0041A30F
                                                    • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 0041A350
                                                    • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 0041A368
                                                    • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 0041A37D
                                                    • SetEvent.KERNEL32 ref: 0041A39A
                                                    • WaitForSingleObject.KERNEL32(000001F4), ref: 0041A3AB
                                                    • CloseHandle.KERNEL32 ref: 0041A3BB
                                                    • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 0041A3DD
                                                    • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 0041A3E7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                                                    • String ID: alias audio$" type $TUF$close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped$>G
                                                    • API String ID: 738084811-2745919808
                                                    • Opcode ID: 366dc257e76a7d89ff517ca85c94e996c3be762cdb00e461543f6a6bce535d75
                                                    • Instruction ID: 916def08b3adcafa46b043c64cdff30cc67d21214e861a912cda69be872b019d
                                                    • Opcode Fuzzy Hash: 366dc257e76a7d89ff517ca85c94e996c3be762cdb00e461543f6a6bce535d75
                                                    • Instruction Fuzzy Hash: B951C1712442056AD214BB31DC86EBF3B9CDB91758F10043FF456A21E2EF389D9986AF
                                                    Function 0040BF04 Relevance: 40.5, APIs: 6, Strings: 17, Instructions: 260registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                      • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C013
                                                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C026
                                                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C056
                                                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,004742F8,?,pth_unenc), ref: 0040C065
                                                      • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                      • Part of subcall function 0040AFBA: UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                      • Part of subcall function 0040AFBA: TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                      • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C280
                                                    • ExitProcess.KERNEL32 ref: 0040C287
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                                                    • String ID: ")$.vbs$@CG$On Error Resume Next$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$`=G$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                                                    • API String ID: 3797177996-1998216422
                                                    • Opcode ID: 172039706f693072dc9d04bdfcccb933a902077c78e676d0b750a38b29d640e1
                                                    • Instruction ID: f1dcdd4a9e546d4cb200c8239a9b7392f8c22d31b5939825df829b517cfed74e
                                                    • Opcode Fuzzy Hash: 172039706f693072dc9d04bdfcccb933a902077c78e676d0b750a38b29d640e1
                                                    • Instruction Fuzzy Hash: 088190316042005BC315FB21D852ABF77A9ABD1308F10453FF986A71E2EF7CAD49869E
                                                    Function 00401BE8 Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                    • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401C7E
                                                    • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401C8E
                                                    • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401C9E
                                                    • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401CAE
                                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401CBE
                                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401CCF
                                                    • WriteFile.KERNEL32(00000000,00471B02,00000002,00000000,00000000), ref: 00401CE0
                                                    • WriteFile.KERNEL32(00000000,00471B04,00000004,00000000,00000000), ref: 00401CF0
                                                    • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401D00
                                                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401D11
                                                    • WriteFile.KERNEL32(00000000,00471B0E,00000002,00000000,00000000), ref: 00401D22
                                                    • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401D32
                                                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401D42
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$Write$Create
                                                    • String ID: RIFF$WAVE$data$fmt
                                                    • API String ID: 1602526932-4212202414
                                                    • Opcode ID: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                    • Instruction ID: 129ba3454a43ec42bedb537cb07bfa8f9eb5569c2d2d4c431363fc199bcfbd5c
                                                    • Opcode Fuzzy Hash: 78ad8e7e5bc68969d37ee031f4dc22a1157de1b6325161424f695ba0fa01d69c
                                                    • Instruction Fuzzy Hash: 66416F726443187AE210DB51DD86FBB7EECEB85F54F40081AFA44D6090E7A4E909DBB3
                                                    Function 004064E0 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe,00000001,004068B2,C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe,00000003,004068DA,004742E0,00406933), ref: 004064F4
                                                    • GetProcAddress.KERNEL32(00000000), ref: 004064FD
                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 0040650E
                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406511
                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 00406522
                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406525
                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 00406536
                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406539
                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 0040654A
                                                    • GetProcAddress.KERNEL32(00000000), ref: 0040654D
                                                    • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 0040655E
                                                    • GetProcAddress.KERNEL32(00000000), ref: 00406561
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressHandleModuleProc
                                                    • String ID: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                                                    • API String ID: 1646373207-4260924088
                                                    • Opcode ID: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                    • Instruction ID: b313d74494c875c8407327c43f2905d2eb3972c2d2e01a1e2b33da4df8ba43a1
                                                    • Opcode Fuzzy Hash: 4215aa750f6926a1b4092da29332a0681cdff8c3ca49fe138229b5bb5280378e
                                                    • Instruction Fuzzy Hash: 1F011EA4E40B1675DB21677A7C54D176EAC9E502917190433B40AF22B1FEBCD410CD7D
                                                    Function 0040BC67 Relevance: 31.7, APIs: 12, Strings: 6, Instructions: 203fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _wcslen.LIBCMT ref: 0040BC75
                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040BC8E
                                                    • CopyFileW.KERNEL32(C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe,00000000,00000000,00000000,00000000,00000000,?,00474358,0000000E,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040BD3E
                                                    • _wcslen.LIBCMT ref: 0040BD54
                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040BDDC
                                                    • CopyFileW.KERNEL32(C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe,00000000,00000000), ref: 0040BDF2
                                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE31
                                                    • _wcslen.LIBCMT ref: 0040BE34
                                                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040BE4B
                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00474358,0000000E), ref: 0040BE9B
                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000001), ref: 0040BEB9
                                                    • ExitProcess.KERNEL32 ref: 0040BED0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                                                    • String ID: 6$C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe$del$open$BG$BG
                                                    • API String ID: 1579085052-7826731
                                                    • Opcode ID: 4d244095d4847cbae713d45db5f80276bba3783f73a4fe09937fc6169b27dde8
                                                    • Instruction ID: 2f106158a8217a69bc194f5c9bf89c81f007fa4859a00edafeef48886470f02c
                                                    • Opcode Fuzzy Hash: 4d244095d4847cbae713d45db5f80276bba3783f73a4fe09937fc6169b27dde8
                                                    • Instruction Fuzzy Hash: DC51B1212082006BD609B722EC52E7F77999F81719F10443FF985A66E2DF3CAD4582EE
                                                    Function 0041B1CB Relevance: 28.1, APIs: 15, Strings: 1, Instructions: 139stringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • lstrlenW.KERNEL32(?), ref: 0041B1E6
                                                    • _memcmp.LIBVCRUNTIME ref: 0041B1FE
                                                    • lstrlenW.KERNEL32(?), ref: 0041B217
                                                    • FindFirstVolumeW.KERNEL32(?,00000104,?), ref: 0041B252
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,?), ref: 0041B265
                                                    • QueryDosDeviceW.KERNEL32(?,?,00000064), ref: 0041B2A9
                                                    • lstrcmpW.KERNEL32(?,?), ref: 0041B2C4
                                                    • FindNextVolumeW.KERNEL32(?,0000003F,00000104), ref: 0041B2DC
                                                    • _wcslen.LIBCMT ref: 0041B2EB
                                                    • FindVolumeClose.KERNEL32(?), ref: 0041B30B
                                                    • GetLastError.KERNEL32 ref: 0041B323
                                                    • GetVolumePathNamesForVolumeNameW.KERNEL32(?,?,?,?), ref: 0041B350
                                                    • lstrcatW.KERNEL32(?,?), ref: 0041B369
                                                    • lstrcpyW.KERNEL32(?,?), ref: 0041B378
                                                    • GetLastError.KERNEL32 ref: 0041B380
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Volume$ErrorFindLast$lstrlen$CloseDeviceFirstNameNamesNextPathQuery_memcmp_wcslenlstrcatlstrcmplstrcpy
                                                    • String ID: ?
                                                    • API String ID: 3941738427-1684325040
                                                    • Opcode ID: 253fbf654c2f5cfaca5092a796830cee54c98e46980e450b9e065df1a1912948
                                                    • Instruction ID: cf02e0f6f7b7a0e02f5bf76754478950043962dc0518326da89db1c5b002f683
                                                    • Opcode Fuzzy Hash: 253fbf654c2f5cfaca5092a796830cee54c98e46980e450b9e065df1a1912948
                                                    • Instruction Fuzzy Hash: CC4163715087099BD7209FA0EC889EBB7E8EF44755F00093BF951C2261E778C998C7D6
                                                    Function 0044E21E Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$EnvironmentVariable$_wcschr
                                                    • String ID:
                                                    • API String ID: 3899193279-0
                                                    • Opcode ID: 6267e3def292f84dd9e33adbac7387806370fb3e846e7c9bec72720c454fd2de
                                                    • Instruction ID: 310171947c9992e3776b826429fe42b14e002c37e8c837d056816c81c4ebeb3e
                                                    • Opcode Fuzzy Hash: 6267e3def292f84dd9e33adbac7387806370fb3e846e7c9bec72720c454fd2de
                                                    • Instruction Fuzzy Hash: A7D13A71900310AFFB35AF7B888266E77A4BF06328F05416FF905A7381E6799D418B99
                                                    Function 00411C81 Relevance: 25.0, APIs: 9, Strings: 5, Instructions: 479sleepfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00411C9A
                                                      • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                                                      • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                      • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                    • Sleep.KERNEL32(0000000A,00465324), ref: 00411DEC
                                                    • Sleep.KERNEL32(0000000A,00465324,00465324), ref: 00411E8E
                                                    • Sleep.KERNEL32(0000000A,00465324,00465324,00465324), ref: 00411F30
                                                    • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411F91
                                                    • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00411FC8
                                                    • DeleteFileW.KERNEL32(00000000,00465324,00465324,00465324), ref: 00412004
                                                    • Sleep.KERNEL32(000001F4,00465324,00465324,00465324), ref: 0041201E
                                                    • Sleep.KERNEL32(00000064), ref: 00412060
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                                                    • String ID: /stext "$HDG$HDG$>G$>G
                                                    • API String ID: 1223786279-3931108886
                                                    • Opcode ID: dd84fb7e7cdabf2e47e208a23127d8f86efb5b2e25be2ef0fbb16d0b89917122
                                                    • Instruction ID: 0ab8a3329a483972d05e881652f5f37e7f84d863b53285be69f93207c3ffadf7
                                                    • Opcode Fuzzy Hash: dd84fb7e7cdabf2e47e208a23127d8f86efb5b2e25be2ef0fbb16d0b89917122
                                                    • Instruction Fuzzy Hash: 890243311083414AC325FB61D891AEFB7D5AFD4308F50493FF98A931E2EF785A49C69A
                                                    Function 0041CAAE Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 73windowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041CAF9
                                                    • GetCursorPos.USER32(?), ref: 0041CB08
                                                    • SetForegroundWindow.USER32(?), ref: 0041CB11
                                                    • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041CB2B
                                                    • Shell_NotifyIconA.SHELL32(00000002,00473B50), ref: 0041CB7C
                                                    • ExitProcess.KERNEL32 ref: 0041CB84
                                                    • CreatePopupMenu.USER32 ref: 0041CB8A
                                                    • AppendMenuA.USER32(00000000,00000000,00000000,Close), ref: 0041CB9F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                                                    • String ID: Close
                                                    • API String ID: 1657328048-3535843008
                                                    • Opcode ID: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                    • Instruction ID: 3771bb7a8ff115e6e52fbd1847cd0ce42a02f589590b945df095e749b0e49bf2
                                                    • Opcode Fuzzy Hash: 17791859dac929b483a24ff72816a8478769eebc5405c417f6cbcdd658e3cffe
                                                    • Instruction Fuzzy Hash: FF212A31148205FFDB064F64FD4EEAA3F25EB04712F004035B906E41B2D7B9EAA1EB18
                                                    Function 00444F4D Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$Info
                                                    • String ID:
                                                    • API String ID: 2509303402-0
                                                    • Opcode ID: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                                    • Instruction ID: 94cb3ffe265cc5bcc4c1ad3ae65ec97d3e38ea61109583f3198c5827e9e35c68
                                                    • Opcode Fuzzy Hash: 92603ff5876a01059927d2e021ea2dcfde124e6bc6800bb968541682ce1897e5
                                                    • Instruction Fuzzy Hash: 22B19D71900A05AFEF11DFA9C881BEEBBB5FF09304F14416EE855B7342DA799C418B64
                                                    Function 00407DEF Relevance: 21.3, APIs: 8, Strings: 4, Instructions: 325fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00407F4C
                                                    • GetFileSizeEx.KERNEL32(00000000,00000000), ref: 00407FC2
                                                    • __aulldiv.LIBCMT ref: 00407FE9
                                                    • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 0040810D
                                                    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 00408128
                                                    • CloseHandle.KERNEL32(00000000), ref: 00408200
                                                    • CloseHandle.KERNEL32(00000000,00000052,00000000,?), ref: 0040821A
                                                    • CloseHandle.KERNEL32(00000000), ref: 00408256
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$CloseHandle$CreatePointerReadSize__aulldiv
                                                    • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller: $>G
                                                    • API String ID: 1884690901-3066803209
                                                    • Opcode ID: b4bf83234e7876ad0386de0079e022938b9164f4f2de2980decd81bcee1f3e40
                                                    • Instruction ID: 4837f293f8898be8956b4197083d1ab2d903a2927be0ecc228378ed3697c5d3b
                                                    • Opcode Fuzzy Hash: b4bf83234e7876ad0386de0079e022938b9164f4f2de2980decd81bcee1f3e40
                                                    • Instruction Fuzzy Hash: 01B191715083409BC214FB25C892BAFB7E5ABD4314F40493EF889632D2EF789945CB9B
                                                    Function 00413E37 Relevance: 21.1, APIs: 9, Strings: 3, Instructions: 109libraryloaderCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemDirectoryA.KERNEL32(?,00000104), ref: 00413E86
                                                    • LoadLibraryA.KERNEL32(?), ref: 00413EC8
                                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413EE8
                                                    • FreeLibrary.KERNEL32(00000000), ref: 00413EEF
                                                    • LoadLibraryA.KERNEL32(?), ref: 00413F27
                                                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 00413F39
                                                    • FreeLibrary.KERNEL32(00000000), ref: 00413F40
                                                    • GetProcAddress.KERNEL32(00000000,?), ref: 00413F4F
                                                    • FreeLibrary.KERNEL32(00000000), ref: 00413F66
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Library$AddressFreeProc$Load$DirectorySystem
                                                    • String ID: \ws2_32$\wship6$getaddrinfo
                                                    • API String ID: 2490988753-3078833738
                                                    • Opcode ID: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
                                                    • Instruction ID: f97e29e5006070a0e8b03c0efb597ee3aef86c3529fe4be05370ae17daaf5a45
                                                    • Opcode Fuzzy Hash: 7f25833e8af2b845701e4bccc7340468b757da4176a2c43d0743638068d0b7b5
                                                    • Instruction Fuzzy Hash: C331C4B1906315ABD320AF65DC44ACBB7ECEF44745F400A2AF844D7201D778DA858AEE
                                                    Function 0045007D Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • ___free_lconv_mon.LIBCMT ref: 004500C1
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F310
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F322
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F334
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F346
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F358
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F36A
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F37C
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F38E
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3A0
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3B2
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3C4
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3D6
                                                      • Part of subcall function 0044F2F3: _free.LIBCMT ref: 0044F3E8
                                                    • _free.LIBCMT ref: 004500B6
                                                      • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                                      • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                                    • _free.LIBCMT ref: 004500D8
                                                    • _free.LIBCMT ref: 004500ED
                                                    • _free.LIBCMT ref: 004500F8
                                                    • _free.LIBCMT ref: 0045011A
                                                    • _free.LIBCMT ref: 0045012D
                                                    • _free.LIBCMT ref: 0045013B
                                                    • _free.LIBCMT ref: 00450146
                                                    • _free.LIBCMT ref: 0045017E
                                                    • _free.LIBCMT ref: 00450185
                                                    • _free.LIBCMT ref: 004501A2
                                                    • _free.LIBCMT ref: 004501BA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                                                    • String ID:
                                                    • API String ID: 161543041-0
                                                    • Opcode ID: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                    • Instruction ID: 71386be3831ae4e36ed8ba8c0666741f952bc44bbd11cc85bbb3aa2ad55dcdb0
                                                    • Opcode Fuzzy Hash: bcc467a133590e08c2246ffecdc9577bb20b6303625806e8b1892e2aaa35b24d
                                                    • Instruction Fuzzy Hash: D5318135600B009FEB30AA39D845B5773E9EF02325F11842FE849E7692DF79AD88C719
                                                    Function 00419138 Relevance: 19.4, APIs: 6, Strings: 5, Instructions: 174sleeptimeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __EH_prolog.LIBCMT ref: 0041913D
                                                    • GdiplusStartup.GDIPLUS(00473AF0,?,00000000), ref: 0041916F
                                                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 004191FB
                                                    • Sleep.KERNEL32(000003E8), ref: 0041927D
                                                    • GetLocalTime.KERNEL32(?), ref: 0041928C
                                                    • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00419375
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                                                    • String ID: XCG$XCG$XCG$time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                                                    • API String ID: 489098229-65789007
                                                    • Opcode ID: 9197c4a2a1c1e5ce950a89398449fe3ef2bf9bb46c4814cba73f7eb8f52c582d
                                                    • Instruction ID: 451d4021779863bb8065bd5e36f4a774b326d3833db1a6038cb7dac0f018a91b
                                                    • Opcode Fuzzy Hash: 9197c4a2a1c1e5ce950a89398449fe3ef2bf9bb46c4814cba73f7eb8f52c582d
                                                    • Instruction Fuzzy Hash: 56519071A002449ACB14BBB5D866AFE7BA9AB45304F00407FF849B71D2EF3C5D85C799
                                                    Function 0040C66D Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 147COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00411699: TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                      • Part of subcall function 00411699: WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                      • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                      • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                      • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040C6C7
                                                    • ShellExecuteW.SHELL32(00000000,open,00000000,00465900,00465900,00000000), ref: 0040C826
                                                    • ExitProcess.KERNEL32 ref: 0040C832
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                                                    • String ID: """, 0$.vbs$@CG$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                                                    • API String ID: 1913171305-390638927
                                                    • Opcode ID: 9d9593f7d2fff8419b7a4165c874335f1e1c4ca55b8004b043af397299dbfd4c
                                                    • Instruction ID: 3122975e65398275e0c1a8e950e5c558235310b29c64ef4ed93c25b66c9664dc
                                                    • Opcode Fuzzy Hash: 9d9593f7d2fff8419b7a4165c874335f1e1c4ca55b8004b043af397299dbfd4c
                                                    • Instruction Fuzzy Hash: A6414C329001185ACB14F761DC56DFE7779AF50718F50417FF906B30E2EE386A8ACA99
                                                    Function 0044F3F1 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free
                                                    • String ID:
                                                    • API String ID: 269201875-0
                                                    • Opcode ID: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                    • Instruction ID: d73775b2238990a9214358b8270f61d1b8324a28925b392a315ea9bfa7ac6158
                                                    • Opcode Fuzzy Hash: 6a70e4c358ef45cffe19a9afdbed41fda2ec9c769272c29d9eaec76f650a350b
                                                    • Instruction Fuzzy Hash: 89C16672D40204AFEB20DBA8CC82FEF77F8AB05714F15446AFA44FB282D6749D458768
                                                    Function 004047EB Relevance: 18.1, APIs: 12, Instructions: 66synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 004047FD
                                                    • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404808
                                                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404811
                                                    • closesocket.WS2_32(000000FF), ref: 0040481F
                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404856
                                                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404867
                                                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0040486E
                                                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404880
                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404885
                                                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 0040488A
                                                    • SetEvent.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 00404895
                                                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?,00404B8E,?,?,?,00404B26), ref: 0040489A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseEventHandle$ObjectSingleWait$closesocket
                                                    • String ID:
                                                    • API String ID: 3658366068-0
                                                    • Opcode ID: 8839b1e3ce5f0ca92630ed3addc8668ddbef0a342dde1beb3290f4e349eef524
                                                    • Instruction ID: 6857b948c75ecf5e4d11b49f17ebd09eceef1c2fbc6fc14a1e153603fddcf20a
                                                    • Opcode Fuzzy Hash: 8839b1e3ce5f0ca92630ed3addc8668ddbef0a342dde1beb3290f4e349eef524
                                                    • Instruction Fuzzy Hash: 7A212C71144B149FDB216B26EC45A27BBE1EF40325F104A7EF2E212AF1CB76E851DB48
                                                    Function 00454992 Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00454660: CreateFileW.KERNEL32(00000000,?,?,;JE,?,?,00000000,?,00454A3B,00000000,0000000C), ref: 0045467D
                                                    • GetLastError.KERNEL32 ref: 00454AA6
                                                    • __dosmaperr.LIBCMT ref: 00454AAD
                                                    • GetFileType.KERNEL32(00000000), ref: 00454AB9
                                                    • GetLastError.KERNEL32 ref: 00454AC3
                                                    • __dosmaperr.LIBCMT ref: 00454ACC
                                                    • CloseHandle.KERNEL32(00000000), ref: 00454AEC
                                                    • CloseHandle.KERNEL32(?), ref: 00454C36
                                                    • GetLastError.KERNEL32 ref: 00454C68
                                                    • __dosmaperr.LIBCMT ref: 00454C6F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                                                    • String ID: H
                                                    • API String ID: 4237864984-2852464175
                                                    • Opcode ID: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                                    • Instruction ID: 2939135f81ce6efcdbf1290aa78a9ad6619f21b9340f77aa2193fadd435c2af6
                                                    • Opcode Fuzzy Hash: 43154248a50fd66e96ac6d70bada307b7577a7ac671062952f04f408382b00d8
                                                    • Instruction Fuzzy Hash: 9FA13732A041448FDF19DF68D8527AE7BA0EB46329F14015EFC019F392DB399C96C75A
                                                    Function 00413C67 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 155COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: 65535$udp
                                                    • API String ID: 0-1267037602
                                                    • Opcode ID: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
                                                    • Instruction ID: 18155c1335c00501c0bec8b6c43ed7e13bdec9a75575f631fadbade58ebc7fa9
                                                    • Opcode Fuzzy Hash: ed3283d9ee94cadc099f5c83048f767ee72ed986ddea0764ae1f3250d10f5e6e
                                                    • Instruction Fuzzy Hash: 5C411971604301ABD7209F29E9057AB77D8EF85706F04082FF84597391D76DCEC1866E
                                                    Function 00416E27 Relevance: 17.6, APIs: 4, Strings: 6, Instructions: 107filesynchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00465554), ref: 00416F24
                                                    • CloseHandle.KERNEL32(00000000), ref: 00416F2D
                                                    • DeleteFileA.KERNEL32(00000000), ref: 00416F3C
                                                    • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416EF0
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseDeleteExecuteFileHandleObjectShellSingleWaitsend
                                                    • String ID: <$@$@FG$@FG$TUF$Temp
                                                    • API String ID: 1107811701-4124992407
                                                    • Opcode ID: 2ef96a9cb1d95fb64f0202d71f3a89862d1029e439683586224ce07dc8cb56e9
                                                    • Instruction ID: 31b483d39f6b5d6935d3c54cd29663daa4ef68f058b88688fc76c4b473729b01
                                                    • Opcode Fuzzy Hash: 2ef96a9cb1d95fb64f0202d71f3a89862d1029e439683586224ce07dc8cb56e9
                                                    • Instruction Fuzzy Hash: 3C318B319002099BCB04FBA1DC56AFE7775AF50308F00417EF906760E2EF785A8ACB99
                                                    Function 00406616 Relevance: 17.6, APIs: 2, Strings: 8, Instructions: 98COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCurrentProcess.KERNEL32(00474A48,00000000,BG3i@,00003000,00000004,00000000,00000001), ref: 00406647
                                                    • GetCurrentProcess.KERNEL32(00474A48,00000000,00008000,?,00000000,00000001,00000000,004068BB,C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe), ref: 00406705
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CurrentProcess
                                                    • String ID: PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$pUF$windir$BG3i@
                                                    • API String ID: 2050909247-1144799832
                                                    • Opcode ID: df9848ee821d52fd5067d4fed09af5d5a7b0c3927120527d7347017cd794abcf
                                                    • Instruction ID: 85e9bb49d37c82d50cc0a876bfe2e9cbcca00efa80d213bdcfc81b1d75d5651e
                                                    • Opcode Fuzzy Hash: df9848ee821d52fd5067d4fed09af5d5a7b0c3927120527d7347017cd794abcf
                                                    • Instruction Fuzzy Hash: FF31CA75240300AFC310AB6DEC49F6A7768EB44705F11443EF50AA76E1EB7998508B6D
                                                    Function 00439371 Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393C9
                                                    • GetLastError.KERNEL32(?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004393D6
                                                    • __dosmaperr.LIBCMT ref: 004393DD
                                                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439409
                                                    • GetLastError.KERNEL32(?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439413
                                                    • __dosmaperr.LIBCMT ref: 0043941A
                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401AD8,?), ref: 0043945D
                                                    • GetLastError.KERNEL32(?,?,?,?,?,?,00401AD8,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439467
                                                    • __dosmaperr.LIBCMT ref: 0043946E
                                                    • _free.LIBCMT ref: 0043947A
                                                    • _free.LIBCMT ref: 00439481
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                                                    • String ID:
                                                    • API String ID: 2441525078-0
                                                    • Opcode ID: 684e6fef7141b114c3b5ff973dde56bcea396d28ee1fdac90182f4155713f89e
                                                    • Instruction ID: 6a201652548b5938c51769f65cd316b483991bd1e06270b2389e89ad89b884a4
                                                    • Opcode Fuzzy Hash: 684e6fef7141b114c3b5ff973dde56bcea396d28ee1fdac90182f4155713f89e
                                                    • Instruction Fuzzy Hash: AA31007280860ABFDF11AFA5DC45CAF3B78EF09364F10416AF81096291DB79CC11DBA9
                                                    Function 00404E52 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SetEvent.KERNEL32(?,?), ref: 00404E71
                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 00404F21
                                                    • TranslateMessage.USER32(?), ref: 00404F30
                                                    • DispatchMessageA.USER32(?), ref: 00404F3B
                                                    • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00473F80), ref: 00404FF3
                                                    • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 0040502B
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                                                    • String ID: CloseChat$DisplayMessage$GetMessage
                                                    • API String ID: 2956720200-749203953
                                                    • Opcode ID: ed276ae60632ddb1123add7be1ccbfba2608c39a5df5d2a815a288664d31e13e
                                                    • Instruction ID: 321c3fbec734f1f8b9fff4e8d6f05c27936dabaea61c0bf38d797d3438e015d2
                                                    • Opcode Fuzzy Hash: ed276ae60632ddb1123add7be1ccbfba2608c39a5df5d2a815a288664d31e13e
                                                    • Instruction Fuzzy Hash: F641BEB16043016BC614FB75D85A8AE77A8ABC1714F00093EF906A31E6EF38DA04C79A
                                                    Function 00419C95 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CA4
                                                    • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CBB
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CC8
                                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CD7
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CE8
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419608,00000000,00000000), ref: 00419CEB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Service$CloseHandle$Open$ControlManager
                                                    • String ID:
                                                    • API String ID: 221034970-0
                                                    • Opcode ID: 83979f30ba13052199b290374f4e897ff0c223aa30bace9cb26b013bf86a6d8f
                                                    • Instruction ID: 64b7f8b9d702139b787b45b2ac21df1fde646642379ff803e7b0347eb9faadae
                                                    • Opcode Fuzzy Hash: 83979f30ba13052199b290374f4e897ff0c223aa30bace9cb26b013bf86a6d8f
                                                    • Instruction Fuzzy Hash: 8711C631901218AFD7116B64EC85DFF3BECDB46BA1B000036F942921D1DB64CD46AAF5
                                                    Function 00446DDB Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00446DEF
                                                      • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                                      • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                                    • _free.LIBCMT ref: 00446DFB
                                                    • _free.LIBCMT ref: 00446E06
                                                    • _free.LIBCMT ref: 00446E11
                                                    • _free.LIBCMT ref: 00446E1C
                                                    • _free.LIBCMT ref: 00446E27
                                                    • _free.LIBCMT ref: 00446E32
                                                    • _free.LIBCMT ref: 00446E3D
                                                    • _free.LIBCMT ref: 00446E48
                                                    • _free.LIBCMT ref: 00446E56
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                    • Instruction ID: 4059f081e6094245f9dcb18e84e070fbb06f55adf0c09f86c969ccb3ae0415ae
                                                    • Opcode Fuzzy Hash: 97a3f4e44069bc11c8e401312368c96959fa26c4fc1008248271593ee2688753
                                                    • Instruction Fuzzy Hash: 0E11CB7550051CBFDB05EF55C842CDD3B76EF06364B42C0AAF9086F222DA75DE509B85
                                                    Function 0041B834 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 214registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B856
                                                    • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B89A
                                                    • RegCloseKey.ADVAPI32(?), ref: 0041BB64
                                                    Strings
                                                    • DisplayName, xrefs: 0041B8E1
                                                    • Software\Microsoft\Windows\CurrentVersion\Uninstall, xrefs: 0041B84C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseEnumOpen
                                                    • String ID: DisplayName$Software\Microsoft\Windows\CurrentVersion\Uninstall
                                                    • API String ID: 1332880857-3614651759
                                                    • Opcode ID: 076c50df7618aadf373f3c01ed9bd4609fd971215d56056228721ff8a86bdb77
                                                    • Instruction ID: efd277ba010ae8e34e1206f32af9d70b7e49420e91acd4d446967662cfc0484b
                                                    • Opcode Fuzzy Hash: 076c50df7618aadf373f3c01ed9bd4609fd971215d56056228721ff8a86bdb77
                                                    • Instruction Fuzzy Hash: 67813E311082449BD324EB21DC51AEFB7E9FFD4314F10493FB586921E1EF34AA49CA9A
                                                    Function 00410314 Relevance: 14.2, APIs: 2, Strings: 6, Instructions: 192COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Eventinet_ntoa
                                                    • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse$>G
                                                    • API String ID: 3578746661-4192532303
                                                    • Opcode ID: 8131232ea4e110a78cbbe142682e0b221beec53302878eaae0296b789d50c990
                                                    • Instruction ID: 5385bfc655a789aeb426c9546597e5e9554731b695d1c34d5ebe0a8eef4996cc
                                                    • Opcode Fuzzy Hash: 8131232ea4e110a78cbbe142682e0b221beec53302878eaae0296b789d50c990
                                                    • Instruction Fuzzy Hash: AA517371A042009BC714F779D85AAAE36A59B80318F40453FF849972E2DF7CADC5CB9E
                                                    Function 004165FC Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 103sleepfileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 0041665C
                                                      • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                                    • Sleep.KERNEL32(00000064), ref: 00416688
                                                    • DeleteFileW.KERNEL32(00000000), ref: 004166BC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$CreateDeleteExecuteShellSleep
                                                    • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                                                    • API String ID: 1462127192-2001430897
                                                    • Opcode ID: b9a5cb25ade68b6fe2589745dbe0be08f51fb2d4aea0f2061956a18dd9341e5a
                                                    • Instruction ID: c19d1c6df4eaf99de932d1d3e2b79d277c3c3ae54bcdefde962c91a872100eda
                                                    • Opcode Fuzzy Hash: b9a5cb25ade68b6fe2589745dbe0be08f51fb2d4aea0f2061956a18dd9341e5a
                                                    • Instruction Fuzzy Hash: 5B313E719001085ADB14FBA1DC96EEE7764AF50708F00017FF906730E2EF786A8ACA9D
                                                    Function 00401A8E Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _strftime.LIBCMT ref: 00401AD3
                                                      • Part of subcall function 00401BE8: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401C54
                                                    • waveInUnprepareHeader.WINMM(00471AC0,00000020,00000000,?), ref: 00401B85
                                                    • waveInPrepareHeader.WINMM(00471AC0,00000020), ref: 00401BC3
                                                    • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401BD2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                                                    • String ID: %Y-%m-%d %H.%M$.wav$`=G$x=G
                                                    • API String ID: 3809562944-3643129801
                                                    • Opcode ID: f816f63c6ac9835ee23b06cccc8d3180f7f4d1f3f2885b8dfbf4a592b63f2106
                                                    • Instruction ID: 71dc54c49c3278552d12686eedaa48b86947864de512bb92fe626abde6f710f1
                                                    • Opcode Fuzzy Hash: f816f63c6ac9835ee23b06cccc8d3180f7f4d1f3f2885b8dfbf4a592b63f2106
                                                    • Instruction Fuzzy Hash: 98317E315053009BC314EF25DC56A9E77E8BB94314F40883EF559A21F1EF78AA49CB9A
                                                    Function 0040196B Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 72COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 0040197B
                                                    • waveInOpen.WINMM(00471AF8,000000FF,00471B00,Function_00001A8E,00000000,00000000,00000024), ref: 00401A11
                                                    • waveInPrepareHeader.WINMM(00471AC0,00000020,00000000), ref: 00401A66
                                                    • waveInAddBuffer.WINMM(00471AC0,00000020), ref: 00401A75
                                                    • waveInStart.WINMM ref: 00401A81
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                                                    • String ID: XCG$`=G$x=G
                                                    • API String ID: 1356121797-903574159
                                                    • Opcode ID: 2fa2782d5286cb6b946f29ce45bec9f2347d723f1f3b5a78e95a6039d4b8a833
                                                    • Instruction ID: eaefd7a1fab34284b98bc4f49641b1dd71ce781583fbb4b877c049bb372049a4
                                                    • Opcode Fuzzy Hash: 2fa2782d5286cb6b946f29ce45bec9f2347d723f1f3b5a78e95a6039d4b8a833
                                                    • Instruction Fuzzy Hash: 1A215C316012409BC704DF7EFD1696A7BA9FB85742B00843AF50DE76B0EBB89880CB4C
                                                    Function 0041C97F Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 47windowstringCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041C998
                                                      • Part of subcall function 0041CA2F: RegisterClassExA.USER32(00000030), ref: 0041CA7C
                                                      • Part of subcall function 0041CA2F: CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
                                                      • Part of subcall function 0041CA2F: GetLastError.KERNEL32 ref: 0041CAA1
                                                    • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041C9CF
                                                    • lstrcpynA.KERNEL32(00473B68,Remcos,00000080), ref: 0041C9E9
                                                    • Shell_NotifyIconA.SHELL32(00000000,00473B50), ref: 0041C9FF
                                                    • TranslateMessage.USER32(?), ref: 0041CA0B
                                                    • DispatchMessageA.USER32(?), ref: 0041CA15
                                                    • GetMessageA.USER32(?,00000000,00000000,00000000), ref: 0041CA22
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                                                    • String ID: Remcos
                                                    • API String ID: 1970332568-165870891
                                                    • Opcode ID: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                    • Instruction ID: a3c1d7bf95fc3ae1ab8e5dc1b7104b29b221ef3087a45b83961503d05de66f2d
                                                    • Opcode Fuzzy Hash: 3916a83a2764b610bd39468394578f6b6e569060e520b3e5816c6a16bad35c1f
                                                    • Instruction Fuzzy Hash: 620121B1944348ABD7109FA5FC4CEDA7BBCAB45B16F004035F605E2162D7B8A285DB2D
                                                    Function 0044B460 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: b03e61c4093a21660133e67fc3f0c2c165a648bd703d9864a2b1dbb5c11dd296
                                                    • Instruction ID: eb32e44420a9d0dd2d5c4453ebfd120c933f738a1b2f21936dd04ad6d98d905f
                                                    • Opcode Fuzzy Hash: b03e61c4093a21660133e67fc3f0c2c165a648bd703d9864a2b1dbb5c11dd296
                                                    • Instruction Fuzzy Hash: 6FC1E670D042499FEF11DFADD8417AEBBB4EF4A304F08405AE814A7392C778D941CBA9
                                                    Function 00452B3A Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,00452E13,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 00452BE6
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452C69
                                                    • __alloca_probe_16.LIBCMT ref: 00452CA1
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,00452E13,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452CFC
                                                    • __alloca_probe_16.LIBCMT ref: 00452D4B
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D13
                                                      • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,00452E13,00000000,00000000,?,00000001,?,?,?,?), ref: 00452D8F
                                                    • __freea.LIBCMT ref: 00452DBA
                                                    • __freea.LIBCMT ref: 00452DC6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                                                    • String ID:
                                                    • API String ID: 201697637-0
                                                    • Opcode ID: 33853d2748869a5bbf0e5c11ad0ba2693683b8c54e761c696d343b85774101d6
                                                    • Instruction ID: 924e7ddfc51c8ace49a4e982202af340d06b3b5a9b96f94d8290dca04e209d32
                                                    • Opcode Fuzzy Hash: 33853d2748869a5bbf0e5c11ad0ba2693683b8c54e761c696d343b85774101d6
                                                    • Instruction Fuzzy Hash: E691C572E002169BDF218E64CA41AEF7BB5AF0A311F14456BEC01E7243D7ADDC49C7A8
                                                    Function 00444409 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446ECF: GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                      • Part of subcall function 00446ECF: _free.LIBCMT ref: 00446F06
                                                      • Part of subcall function 00446ECF: SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                      • Part of subcall function 00446ECF: _abort.LIBCMT ref: 00446F4D
                                                    • _memcmp.LIBVCRUNTIME ref: 004446B3
                                                    • _free.LIBCMT ref: 00444724
                                                    • _free.LIBCMT ref: 0044473D
                                                    • _free.LIBCMT ref: 0044476F
                                                    • _free.LIBCMT ref: 00444778
                                                    • _free.LIBCMT ref: 00444784
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ErrorLast$_abort_memcmp
                                                    • String ID: C
                                                    • API String ID: 1679612858-1037565863
                                                    • Opcode ID: 78a772055084dd11d4ef40813aeefa18dab1270aefb2628fdec0a9e84f74d69a
                                                    • Instruction ID: 096df170494440478aae843429242aea5750b14c08813bebb9acd843c79e49b1
                                                    • Opcode Fuzzy Hash: 78a772055084dd11d4ef40813aeefa18dab1270aefb2628fdec0a9e84f74d69a
                                                    • Instruction Fuzzy Hash: E8B14A75A012199FEB24DF18C884BAEB7B4FF49314F1085AEE909A7351D739AE90CF44
                                                    Function 004139C7 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 228COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: tcp$udp
                                                    • API String ID: 0-3725065008
                                                    • Opcode ID: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
                                                    • Instruction ID: e5bb8fef491b59a621f975c33c92e719a9e773eef76f1c958f584ffae729cd60
                                                    • Opcode Fuzzy Hash: 3317bb7e427a09276a98136aacea04ff7717d48f4dd4b8ff28f9b5a2aba46388
                                                    • Instruction Fuzzy Hash: 9171AB716083028FDB24CE5584847ABB6E4AF84746F10043FF885A7352E778DE85CB9A
                                                    Function 00412C88 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 135registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 00412CC1
                                                      • Part of subcall function 004129AA: RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                      • Part of subcall function 004129AA: RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    • RegCloseKey.ADVAPI32(TUFTUF,00465554,00465554,00465900,00465900,00000071), ref: 00412E31
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseEnumInfoOpenQuerysend
                                                    • String ID: TUF$TUFTUF$>G$DG$DG
                                                    • API String ID: 3114080316-72097156
                                                    • Opcode ID: 08034cecb19fcd7980957ebfa6e18f25f8bbd9987c681b47e78dc83fc42bb37e
                                                    • Instruction ID: 977689a643a5ec5a4c60f988ad8168500f8ba0dfdc14b2429fd77a11b5167535
                                                    • Opcode Fuzzy Hash: 08034cecb19fcd7980957ebfa6e18f25f8bbd9987c681b47e78dc83fc42bb37e
                                                    • Instruction Fuzzy Hash: 9041A2316042009BC224F635D8A2AEF7394AFD0708F50843FF94A671E2EF7C5D4986AE
                                                    Function 00406BE9 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 97fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00465454,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C38
                                                    • WriteFile.KERNEL32(00000000,?,00000000,?,00000000,?,000186A0,?,?,?,00000000,00407273,00000000,?,0000000A,00000000), ref: 00406C80
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    • CloseHandle.KERNEL32(00000000,?,?,00000000,00407273,00000000,?,0000000A,00000000,00000000), ref: 00406CC0
                                                    • MoveFileW.KERNEL32(00000000,00000000), ref: 00406CDD
                                                    • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D08
                                                    • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,0000000A,00000000,00000000), ref: 00406D18
                                                      • Part of subcall function 0040455B: WaitForSingleObject.KERNEL32(?,000000FF,?,?,0040460E,00000000,?,?), ref: 0040456A
                                                      • Part of subcall function 0040455B: SetEvent.KERNEL32(?,?,?,0040460E,00000000,?,?), ref: 00404588
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                                                    • String ID: .part
                                                    • API String ID: 1303771098-3499674018
                                                    • Opcode ID: 124c633532e8600691c4108089ff1e2e84c33ce980c006a8ee94900b53e6ed61
                                                    • Instruction ID: 92ff4720e6a7c249f3c3ae71a82c25b1888123647972eaae8327678ea1ca1cb3
                                                    • Opcode Fuzzy Hash: 124c633532e8600691c4108089ff1e2e84c33ce980c006a8ee94900b53e6ed61
                                                    • Instruction Fuzzy Hash: 2131C4715083009FD210EF21DD459AFB7A8FB84315F40093FF9C6A21A1DB38AA48CB9A
                                                    Function 0041A82D Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 90COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00412584: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?), ref: 004125A6
                                                      • Part of subcall function 00412584: RegQueryValueExW.ADVAPI32(?,0040E0BA,00000000,00000000,?,00000400), ref: 004125C5
                                                      • Part of subcall function 00412584: RegCloseKey.ADVAPI32(?), ref: 004125CE
                                                      • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                                      • Part of subcall function 0041B16B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B183
                                                    • _wcslen.LIBCMT ref: 0041A906
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$CloseCurrentOpenQueryValueWow64_wcslen
                                                    • String ID: .exe$:@$XCG$http\shell\open\command$program files (x86)\$program files\
                                                    • API String ID: 3286818993-703403762
                                                    • Opcode ID: f6ea33bfe9aeb7d2f24a1418d8181db5ac7c03ccdcffe2a82dcde258621e9c28
                                                    • Instruction ID: 668df6a2f2e8443cbe55da1b88d556a36153785c12b7582e9a7b6ce06fc50c8b
                                                    • Opcode Fuzzy Hash: f6ea33bfe9aeb7d2f24a1418d8181db5ac7c03ccdcffe2a82dcde258621e9c28
                                                    • Instruction Fuzzy Hash: 4C217472B001046BDB04BAB58C96DEE366D9B85358F14093FF412B72D3EE3C9D9942A9
                                                    Function 0040B6EA Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 85COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00412513: RegOpenKeyExA.KERNEL32(80000001,00000400,00000000,00020019,?), ref: 00412537
                                                      • Part of subcall function 00412513: RegQueryValueExA.KERNEL32(?,?,00000000,00000000,?,00000400), ref: 00412554
                                                      • Part of subcall function 00412513: RegCloseKey.KERNEL32(?), ref: 0041255F
                                                    • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B76C
                                                    • PathFileExistsA.SHLWAPI(?), ref: 0040B779
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                                                    • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders$TUF
                                                    • API String ID: 1133728706-1738023494
                                                    • Opcode ID: bb986ea289b59e8881aae87098969c6da156300248b9d043587579c05a1b425d
                                                    • Instruction ID: c183ecd3189b8021203cc80da109e2de7a31ac9d6a13988019f9cddb43f3bc3e
                                                    • Opcode Fuzzy Hash: bb986ea289b59e8881aae87098969c6da156300248b9d043587579c05a1b425d
                                                    • Instruction Fuzzy Hash: 84216D71900219A6CB04F7B2DCA69EE7764AE95318F40013FA902771D2EB7C9A49C6DE
                                                    Function 0041BEC0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 47memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • AllocConsole.KERNEL32(00474358), ref: 0041BEC9
                                                    • GetConsoleWindow.KERNEL32 ref: 0041BECF
                                                    • ShowWindow.USER32(00000000,00000000), ref: 0041BEE2
                                                    • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041BF07
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Console$Window$AllocOutputShow
                                                    • String ID: Remcos v$5.3.0 Pro$CONOUT$
                                                    • API String ID: 4067487056-2527699604
                                                    • Opcode ID: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
                                                    • Instruction ID: 29466b5f89b818b32aee09a22b3208d506810ef61d6e100b210d0f7536d9046d
                                                    • Opcode Fuzzy Hash: 0969bb2dc50103f751eab8b76b07649baec71243ec5d0269df0f19859633e99b
                                                    • Instruction Fuzzy Hash: 3F0121B1980304BAD600FBF29D4BFDD37AC9B14705F5004277648EB193E6BCA554466D
                                                    Function 00449960 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,0043D574,0043D574,?,?,?,00449BB1,00000001,00000001,1AE85006), ref: 004499BA
                                                    • __alloca_probe_16.LIBCMT ref: 004499F2
                                                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,?,00449BB1,00000001,00000001,1AE85006,?,?,?), ref: 00449A40
                                                    • __alloca_probe_16.LIBCMT ref: 00449AD7
                                                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,1AE85006,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 00449B3A
                                                    • __freea.LIBCMT ref: 00449B47
                                                      • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                                    • __freea.LIBCMT ref: 00449B50
                                                    • __freea.LIBCMT ref: 00449B75
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                                                    • String ID:
                                                    • API String ID: 3864826663-0
                                                    • Opcode ID: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
                                                    • Instruction ID: 2fc013a73a1c4821613f4f7d6933c77eebbc764427e3f4eacb424f728eff0283
                                                    • Opcode Fuzzy Hash: 352025556551dac2c37919268567461b7de28f4f732b96d5dc4c3903fd0b0184
                                                    • Instruction Fuzzy Hash: 0951F772610256AFFB259F61DC42EBBB7A9EB44714F14462EFD04D7240EB38EC40E668
                                                    Function 00418ACE Relevance: 12.1, APIs: 8, Instructions: 117keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SendInput.USER32 ref: 00418B18
                                                    • SendInput.USER32(00000001,?,0000001C), ref: 00418B40
                                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B67
                                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418B85
                                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BA5
                                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BCA
                                                    • SendInput.USER32(00000001,0000001C,0000001C), ref: 00418BEC
                                                    • SendInput.USER32(00000001,?,0000001C), ref: 00418C0F
                                                      • Part of subcall function 00418AC1: MapVirtualKeyA.USER32(00000000,00000000), ref: 00418AC7
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InputSend$Virtual
                                                    • String ID:
                                                    • API String ID: 1167301434-0
                                                    • Opcode ID: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                    • Instruction ID: 9e9d03405de643faf883966fb0167173931b0bf8c68e8067c58721a0feba7ae1
                                                    • Opcode Fuzzy Hash: 88f93acc81d4616b4190e12117d1b14dafb1e9928c91053c24dee7c09840eeb6
                                                    • Instruction Fuzzy Hash: 10318071248349AAE210DF65D841FDBFBECAFD9B44F04080FB98457191DBA4998C876B
                                                    Function 00415A45 Relevance: 12.0, APIs: 8, Instructions: 46clipboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenClipboard.USER32 ref: 00415A46
                                                    • EmptyClipboard.USER32 ref: 00415A54
                                                    • CloseClipboard.USER32 ref: 00415A5A
                                                    • OpenClipboard.USER32 ref: 00415A61
                                                    • GetClipboardData.USER32(0000000D), ref: 00415A71
                                                    • GlobalLock.KERNEL32(00000000), ref: 00415A7A
                                                    • GlobalUnlock.KERNEL32(00000000), ref: 00415A83
                                                    • CloseClipboard.USER32 ref: 00415A89
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                                                    • String ID:
                                                    • API String ID: 2172192267-0
                                                    • Opcode ID: d9c410470e1138b8a4c9be85fd81145319fac6db587be0b527b00daa86c960c7
                                                    • Instruction ID: 21d753e14671b68e74bb0dc0c2a05280281c3050cfaacb3e005a94eaf945824a
                                                    • Opcode Fuzzy Hash: d9c410470e1138b8a4c9be85fd81145319fac6db587be0b527b00daa86c960c7
                                                    • Instruction Fuzzy Hash: 1D0152312083009FC314BB75EC5AAEE77A5AFC0752F41457EFD06861A2DF38C845D65A
                                                    Function 00446169 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: __freea$__alloca_probe_16
                                                    • String ID: a/p$am/pm$fD
                                                    • API String ID: 3509577899-1143445303
                                                    • Opcode ID: d47145a3bc1b7d9653af932916ed6ede224238620767b4a39004040ccf91a16a
                                                    • Instruction ID: b3ac1812908cceb8a5e393dcdb4c984f4f77018dd86d4d200126c6f407000a93
                                                    • Opcode Fuzzy Hash: d47145a3bc1b7d9653af932916ed6ede224238620767b4a39004040ccf91a16a
                                                    • Instruction Fuzzy Hash: 45D10171900205EAFB289F68D9456BBB7B0FF06700F26415BE9019B349D37D9D81CB6B
                                                    Function 00447E4A Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00447ECC
                                                    • _free.LIBCMT ref: 00447EF0
                                                    • _free.LIBCMT ref: 00448077
                                                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D478), ref: 00448089
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,0047179C,000000FF,00000000,0000003F,00000000,?,?), ref: 00448101
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004717F0,000000FF,?,0000003F,00000000,?), ref: 0044812E
                                                    • _free.LIBCMT ref: 00448243
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ByteCharMultiWide$InformationTimeZone
                                                    • String ID:
                                                    • API String ID: 314583886-0
                                                    • Opcode ID: 987cd6ff04374740ad638309c533d0c602dfd377e295f885280b4824386cdb1c
                                                    • Instruction ID: 19e3b7565c7c288d74bc5d2e619305edf95ef22548e2b541e8d8082bcdfeb5ac
                                                    • Opcode Fuzzy Hash: 987cd6ff04374740ad638309c533d0c602dfd377e295f885280b4824386cdb1c
                                                    • Instruction Fuzzy Hash: 27C10671904205ABFB24DF698C41AAE7BB9EF45314F2441AFE484A7251EB388E47C758
                                                    Function 0044F816 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free
                                                    • String ID:
                                                    • API String ID: 269201875-0
                                                    • Opcode ID: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                                    • Instruction ID: 4bbe003d1bf73c874d2a573eb0f11032bb863b1283a960f175a06077317d427c
                                                    • Opcode Fuzzy Hash: 154a0d9c569a12efbd1fb523a4d55ce0e4318de2d30962be95ff360cd9ef53d7
                                                    • Instruction Fuzzy Hash: 9D61CE71D00205AFEB20DF69C842BAABBF5EB45320F14407BE844EB281E7759D45CB59
                                                    Function 00443F8B Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 187COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                                    • _free.LIBCMT ref: 00444096
                                                    • _free.LIBCMT ref: 004440AD
                                                    • _free.LIBCMT ref: 004440CC
                                                    • _free.LIBCMT ref: 004440E7
                                                    • _free.LIBCMT ref: 004440FE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$AllocateHeap
                                                    • String ID: Z7D
                                                    • API String ID: 3033488037-2145146825
                                                    • Opcode ID: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                                    • Instruction ID: 35b293ba1399b13e66314f32d3a1361244e269274da5e60bce22b88c1773d583
                                                    • Opcode Fuzzy Hash: 7bd75c35ecc30b271b00b77e92f4063212cf76abbfff81b413b55d476d69b5fb
                                                    • Instruction Fuzzy Hash: 1451D131A00604AFEB20DF66C841B6A77F4EF99724B14456EE909D7251E739EE118B88
                                                    Function 0044A0D3 Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetConsoleCP.KERNEL32(00000000,00000000,?,?,?,?,?,?,?,0044A848,?,00000000,00000000,00000000,00000000,0000000C), ref: 0044A115
                                                    • __fassign.LIBCMT ref: 0044A190
                                                    • __fassign.LIBCMT ref: 0044A1AB
                                                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,00000000,00000005,00000000,00000000), ref: 0044A1D1
                                                    • WriteFile.KERNEL32(?,00000000,00000000,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A1F0
                                                    • WriteFile.KERNEL32(?,?,00000001,0044A848,00000000,?,?,?,?,?,?,?,?,?,0044A848,?), ref: 0044A229
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                                                    • String ID:
                                                    • API String ID: 1324828854-0
                                                    • Opcode ID: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                    • Instruction ID: e447b7b613fb78ded26f6ec2e5332222395caf0b7731ddcd5a4cfd0c244b89ef
                                                    • Opcode Fuzzy Hash: c2a57007ecaabeafdb2dea6b541a07f99f491d21749d301156e70ae2fc22959b
                                                    • Instruction Fuzzy Hash: FB51C270E002499FEB10CFA8D881AEEBBF8FF09310F14416BE955E7351D6749A51CB6A
                                                    Function 00401768 Relevance: 10.6, APIs: 3, Strings: 3, Instructions: 142threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ExitThread.KERNEL32 ref: 004017F4
                                                      • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                                                      • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                                                    • waveInUnprepareHeader.WINMM(?,00000020,00000000,?,00000020,00473EE8,00000000), ref: 00401902
                                                      • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                                    • __Init_thread_footer.LIBCMT ref: 004017BC
                                                      • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                                                      • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalSection$EnterLeave$ExitHeaderInit_thread_footerThreadUnprepare__onexitwave
                                                    • String ID: T=G$>G$>G
                                                    • API String ID: 1596592924-1617985637
                                                    • Opcode ID: 7fea690cd5114764ac3b3016db8b19bc4d1365cb468e8419b76e50a1049d06b2
                                                    • Instruction ID: 0943ace0b6a80c7a2dd7ea0048a529cdefdd5a29547fab9333b46e46416e0a54
                                                    • Opcode Fuzzy Hash: 7fea690cd5114764ac3b3016db8b19bc4d1365cb468e8419b76e50a1049d06b2
                                                    • Instruction Fuzzy Hash: D941F0716042008BC325FB75DDA6AAE73A4EB90318F00453FF50AAB1F2DF789985C65E
                                                    Function 0040E6A3 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 132processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041B16B: GetCurrentProcess.KERNEL32(?,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B17C
                                                      • Part of subcall function 0041B16B: IsWow64Process.KERNEL32(00000000,?,?,0040C914,WinDir,00000000,00000000), ref: 0041B183
                                                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E6C1
                                                    • Process32FirstW.KERNEL32(00000000,?), ref: 0040E6E5
                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E6F4
                                                    • CloseHandle.KERNEL32(00000000), ref: 0040E8AB
                                                      • Part of subcall function 0041B197: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040E4D0,00000000,?,?,00474358), ref: 0041B1AC
                                                      • Part of subcall function 0041B197: IsWow64Process.KERNEL32(00000000,?,?,?,00474358), ref: 0041B1B7
                                                      • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                                      • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040E89C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$OpenProcess32$NextWow64$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                                                    • String ID: PgF
                                                    • API String ID: 2180151492-654241383
                                                    • Opcode ID: d45e152db1594e52a28c92c812a6bfc09764fa0d060a7e5a38ae0a426294ee6f
                                                    • Instruction ID: d2ffcfca6af8ede7debefd7e7f3e1a30d02436113b149e9281f59cd47d6ae75e
                                                    • Opcode Fuzzy Hash: d45e152db1594e52a28c92c812a6bfc09764fa0d060a7e5a38ae0a426294ee6f
                                                    • Instruction Fuzzy Hash: FE41E0311083415BC325F761D8A1AEFB7E9AFA4305F50453EF449931E1EF389949C65A
                                                    Function 00437A90 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 117COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _ValidateLocalCookies.LIBCMT ref: 00437ABB
                                                    • ___except_validate_context_record.LIBVCRUNTIME ref: 00437AC3
                                                    • _ValidateLocalCookies.LIBCMT ref: 00437B51
                                                    • __IsNonwritableInCurrentImage.LIBCMT ref: 00437B7C
                                                    • _ValidateLocalCookies.LIBCMT ref: 00437BD1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CookiesLocalValidate$CurrentImageNonwritable___except_validate_context_record
                                                    • String ID: csm
                                                    • API String ID: 1170836740-1018135373
                                                    • Opcode ID: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                    • Instruction ID: 71a827b8039fc8fef17eb0172cb9efd804432aff4b2936af944e1c8a38ed202f
                                                    • Opcode Fuzzy Hash: a717e1e029c36c18052b78818950a58a3847fd0af0d72a643a188b4f53f37093
                                                    • Instruction Fuzzy Hash: 07410870A04209DBCF20EF29C884A9FBBB4AF08328F149156E8556B352D739EE01CF95
                                                    Function 00455913 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: ac8429af2de8aec4c7be5426e4bb47fdde12a831901fd5511e93482c0d59407e
                                                    • Instruction ID: c456bd3af877b6cafd4b53f13a87e342c7fa5de46f767ee01c057a6e18c8cad8
                                                    • Opcode Fuzzy Hash: ac8429af2de8aec4c7be5426e4bb47fdde12a831901fd5511e93482c0d59407e
                                                    • Instruction Fuzzy Hash: 401102B1508615FBDB206F729C4593B7BACEF82772B20016FFC05C6242DA3CC801D669
                                                    Function 0040FBEF Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040FBFC
                                                    • int.LIBCPMT ref: 0040FC0F
                                                      • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                      • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                    • std::_Facet_Register.LIBCPMT ref: 0040FC4B
                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FC71
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FC8D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                    • String ID: p[G
                                                    • API String ID: 2536120697-440918510
                                                    • Opcode ID: 90cee4c0c16813870b1da6ceaa83cd64951b4a88db33a7eee00d1c8ab7d48ea7
                                                    • Instruction ID: 57388c14a05e53b5f50c1e79e3c37d993a50775a9f2b0ccff9e8b1bf96635e0f
                                                    • Opcode Fuzzy Hash: 90cee4c0c16813870b1da6ceaa83cd64951b4a88db33a7eee00d1c8ab7d48ea7
                                                    • Instruction Fuzzy Hash: BD110232904519A7CB10FBA5D8469EEB7289E84358F20007BF805B72C1EB7CAF45C78D
                                                    Function 0044FCEB Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0044FA32: _free.LIBCMT ref: 0044FA5B
                                                    • _free.LIBCMT ref: 0044FD39
                                                      • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                                      • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                                    • _free.LIBCMT ref: 0044FD44
                                                    • _free.LIBCMT ref: 0044FD4F
                                                    • _free.LIBCMT ref: 0044FDA3
                                                    • _free.LIBCMT ref: 0044FDAE
                                                    • _free.LIBCMT ref: 0044FDB9
                                                    • _free.LIBCMT ref: 0044FDC4
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                    • Instruction ID: b610107d28af63220697d29f7fc6270dd0ec529a0d2d9973413717ad3690abbb
                                                    • Opcode Fuzzy Hash: 7c29d87e7d6a666a6374703866dd42c53a280d6db8acc668fe4e1522d65ba280
                                                    • Instruction Fuzzy Hash: B5116071581B44ABE520F7B2CC07FCB77DDDF02708F404C2EB29E76052EA68B90A4655
                                                    Function 00406815 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe), ref: 00406835
                                                      • Part of subcall function 00406764: _wcslen.LIBCMT ref: 00406788
                                                      • Part of subcall function 00406764: CoGetObject.OLE32(?,00000024,004659B0,00000000), ref: 004067E9
                                                    • CoUninitialize.OLE32 ref: 0040688E
                                                    Strings
                                                    • [+] before ShellExec, xrefs: 00406856
                                                    • [+] ShellExec success, xrefs: 00406873
                                                    • [+] ucmCMLuaUtilShellExecMethod, xrefs: 0040681A
                                                    • C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, xrefs: 00406815, 00406818, 0040686A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: InitializeObjectUninitialize_wcslen
                                                    • String ID: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                                                    • API String ID: 3851391207-99461877
                                                    • Opcode ID: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
                                                    • Instruction ID: 622c6236034ee416db36617ed9a374104512909f75adacabffe0517dc70a223e
                                                    • Opcode Fuzzy Hash: 37e49e74ace5e8c7de8c35aba96b6244217e4573d21f95b04fe8e6107b657e82
                                                    • Instruction Fuzzy Hash: A501C0722013106FE2287B11DC0EF3B2658DB4176AF22413FF946A71C1EAA9AC104669
                                                    Function 0040FED2 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040FEDF
                                                    • int.LIBCPMT ref: 0040FEF2
                                                      • Part of subcall function 0040CEE0: std::_Lockit::_Lockit.LIBCPMT ref: 0040CEF1
                                                      • Part of subcall function 0040CEE0: std::_Lockit::~_Lockit.LIBCPMT ref: 0040CF0B
                                                    • std::_Facet_Register.LIBCPMT ref: 0040FF2E
                                                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0040FF54
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040FF70
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                                                    • String ID: h]G
                                                    • API String ID: 2536120697-1579725984
                                                    • Opcode ID: d8f58f918af87aba8139413509f4a2dec583dfadb59aca9c2e42155b8cc16817
                                                    • Instruction ID: faa6495482ffb760010bfa20be6f485864068761b5f97391b19e5f0bde606c56
                                                    • Opcode Fuzzy Hash: d8f58f918af87aba8139413509f4a2dec583dfadb59aca9c2e42155b8cc16817
                                                    • Instruction Fuzzy Hash: 10119D3190041AABCB24FBA5C8468DDB7699E85718B20057FF505B72C1EB78AE09C789
                                                    Function 0040B2A8 Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 48fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B2E4
                                                    • GetLastError.KERNEL32 ref: 0040B2EE
                                                    Strings
                                                    • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B2AF
                                                    • [Chrome Cookies not found], xrefs: 0040B308
                                                    • UserProfile, xrefs: 0040B2B4
                                                    • [Chrome Cookies found, cleared!], xrefs: 0040B314
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DeleteErrorFileLast
                                                    • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                                                    • API String ID: 2018770650-304995407
                                                    • Opcode ID: 30e5fcbe14093218a38d76bda61cf748b30cc159a0567d7ee95bef924cd16ffd
                                                    • Instruction ID: 57831ae66bbe87b328e3caf482cfdb9a18bfb77b2c204d956758bc207329a0f7
                                                    • Opcode Fuzzy Hash: 30e5fcbe14093218a38d76bda61cf748b30cc159a0567d7ee95bef924cd16ffd
                                                    • Instruction Fuzzy Hash: ED01A23164410557CB0477B5DD6B8AF3624ED50708F60013FF802B22E2FE3A9A0586CE
                                                    Function 004064D0 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                                                    Download Yara Rule
                                                    Strings
                                                    • BG, xrefs: 00406909
                                                    • Rmc-I3QM17, xrefs: 0040693F
                                                    • C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, xrefs: 00406927
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe$Rmc-I3QM17$BG
                                                    • API String ID: 0-4109772114
                                                    • Opcode ID: d50a95e135f0bfdaf236d1bb78b8391e43d4b57b805b0d92c2bf5032378cfc05
                                                    • Instruction ID: a0817f974ad937f6cb5b9dd001e5131ae01746641b95ac10126ddf8aadfa6e31
                                                    • Opcode Fuzzy Hash: d50a95e135f0bfdaf236d1bb78b8391e43d4b57b805b0d92c2bf5032378cfc05
                                                    • Instruction Fuzzy Hash: 05F096B17022109BDB103774BC1967A3645A780356F01847BF94BFA6E5DB3C8851869C
                                                    Function 0043960C Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __allrem.LIBCMT ref: 00439799
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397B5
                                                    • __allrem.LIBCMT ref: 004397CC
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004397EA
                                                    • __allrem.LIBCMT ref: 00439801
                                                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0043981F
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                                                    • String ID:
                                                    • API String ID: 1992179935-0
                                                    • Opcode ID: 088a2e1066119da7e611ebb0c50ba568729b81e5e50e163a33f94ab824c18df8
                                                    • Instruction ID: 580a0d75dc01f3f4b0c8d364acae3af6b21ca74026922d198920ae34195595c3
                                                    • Opcode Fuzzy Hash: 088a2e1066119da7e611ebb0c50ba568729b81e5e50e163a33f94ab824c18df8
                                                    • Instruction Fuzzy Hash: 8581FC71A01B069BE724AE69CC82B5F73A8AF89368F24512FF411D7381E7B8DD018758
                                                    Function 00444B4D Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: __cftoe
                                                    • String ID:
                                                    • API String ID: 4189289331-0
                                                    • Opcode ID: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                                    • Instruction ID: 51d3defa9bee42a6449c1cbae1767e96f335fc55d8793b788aa7c8c1dec457a3
                                                    • Opcode Fuzzy Hash: 69df1f9648de409375186bf4c737c9597d71512c260aa95240f454dab3e526b7
                                                    • Instruction Fuzzy Hash: DE510A72900205ABFB249F598C81FAF77A9EFC9324F25421FF814A6291DB3DDD01866D
                                                    Function 00403DE7 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 135sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • Sleep.KERNEL32(00000000), ref: 00403E8A
                                                      • Part of subcall function 00403FCD: __EH_prolog.LIBCMT ref: 00403FD2
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: H_prologSleep
                                                    • String ID: CloseCamera$FreeFrame$GetFrame$OpenCamera$P>G
                                                    • API String ID: 3469354165-462540288
                                                    • Opcode ID: a5279992c9b5f01cab381193b3706a68732ec19cee183b4c459e27e130619d80
                                                    • Instruction ID: a615deab89d52a04eef9df102bd8b4982dd8b49b1eab8c4ad016fc0191aaad38
                                                    • Opcode Fuzzy Hash: a5279992c9b5f01cab381193b3706a68732ec19cee183b4c459e27e130619d80
                                                    • Instruction Fuzzy Hash: E941A330A0420196CA14FB79C816AAD3A655B45704F00413FF809A73E2EF7C9A85C7CF
                                                    Function 00419DFC Relevance: 9.1, APIs: 6, Instructions: 66serviceCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E0C
                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E20
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E2D
                                                    • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00419517), ref: 00419E62
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E74
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,00000000,?,?,00419517,00000000,00000000), ref: 00419E77
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Service$CloseHandle$Open$ChangeConfigManager
                                                    • String ID:
                                                    • API String ID: 493672254-0
                                                    • Opcode ID: 8d0c32570e89dd068500cd90fe1776a703b3a192111dc2e8c1051611ff5d3692
                                                    • Instruction ID: 40159264159f5a90cd52f9b689d0e8cb5e0ea154c732c405bcbf7063391161e0
                                                    • Opcode Fuzzy Hash: 8d0c32570e89dd068500cd90fe1776a703b3a192111dc2e8c1051611ff5d3692
                                                    • Instruction Fuzzy Hash: 09016D311083107AE3118B34EC1EFBF3B5CDB41B70F00023BF626922D1DA68CE8581A9
                                                    Function 00437E16 Relevance: 9.1, APIs: 6, Instructions: 60COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,00437E0D,004377C1), ref: 00437E24
                                                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00437E32
                                                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00437E4B
                                                    • SetLastError.KERNEL32(00000000,?,00437E0D,004377C1), ref: 00437E9D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLastValue___vcrt_
                                                    • String ID:
                                                    • API String ID: 3852720340-0
                                                    • Opcode ID: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                    • Instruction ID: 127a8aaeb23cc4eddae083ca6fcd73be4c6f1963697d6e79a1959115bdf772ac
                                                    • Opcode Fuzzy Hash: 621d246bd99772174e6328e27007d7fc44d2e9bedb07ae0db1c9b20682e519a8
                                                    • Instruction Fuzzy Hash: 6701B57211D3159EE63427757C87A272B99EB0A779F20127FF228851E2EF2D4C41914C
                                                    Function 00446ECF Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(?,?,0043932C,?,00000000,?,0043B965,00000000,00000000), ref: 00446ED3
                                                    • _free.LIBCMT ref: 00446F06
                                                    • _free.LIBCMT ref: 00446F2E
                                                    • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F3B
                                                    • SetLastError.KERNEL32(00000000,00000000,00000000), ref: 00446F47
                                                    • _abort.LIBCMT ref: 00446F4D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$_free$_abort
                                                    • String ID:
                                                    • API String ID: 3160817290-0
                                                    • Opcode ID: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                    • Instruction ID: 1b4467ed9408e6c3233579f8e1b56ac98d0768551ab8ff32c5b7efb0424b8365
                                                    • Opcode Fuzzy Hash: c8da7f0c6bc53abe63124bd11b18efa7ba6299d8fddab580282761fd2749e6ad
                                                    • Instruction Fuzzy Hash: B1F0F93560870027F61273797D46A6F15669BC37B6B26013FF909A2292EE2D8C06411F
                                                    Function 00419C30 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C3F
                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C53
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C60
                                                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C6F
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C81
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004197AB,00000000,00000000), ref: 00419C84
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Service$CloseHandle$Open$ControlManager
                                                    • String ID:
                                                    • API String ID: 221034970-0
                                                    • Opcode ID: e0442b8656df40b354effc29a53afdc585f42babe91f9aeac9dec78915b16ffb
                                                    • Instruction ID: 508c6a04514e5737773cd2f196b8466aacbf0489f3ca208dfe1df169d6e4b917
                                                    • Opcode Fuzzy Hash: e0442b8656df40b354effc29a53afdc585f42babe91f9aeac9dec78915b16ffb
                                                    • Instruction Fuzzy Hash: 93F0F6325403147BD3116B25EC89EFF3BACDB85BA1F000036F941921D2DB68CD4685F5
                                                    Function 00419D32 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D41
                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D55
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D62
                                                    • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D71
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D83
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00419729,00000000,00000000), ref: 00419D86
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Service$CloseHandle$Open$ControlManager
                                                    • String ID:
                                                    • API String ID: 221034970-0
                                                    • Opcode ID: 197637b26bbdd00f03ff7db36be43807083bab4a770c68d4e23c4aa016e90e1f
                                                    • Instruction ID: e3947c2d1caeee04707242a29777fdfa1156a9fa4bc9e6dc5536219c00a7af20
                                                    • Opcode Fuzzy Hash: 197637b26bbdd00f03ff7db36be43807083bab4a770c68d4e23c4aa016e90e1f
                                                    • Instruction Fuzzy Hash: 88F0C2325002146BD2116B25FC49EBF3AACDB85BA1B00003AFA06A21D2DB38CD4685F9
                                                    Function 00419D97 Relevance: 9.0, APIs: 6, Instructions: 44serviceCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DA6
                                                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DBA
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DC7
                                                    • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DD6
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DE8
                                                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004196A7,00000000,00000000), ref: 00419DEB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Service$CloseHandle$Open$ControlManager
                                                    • String ID:
                                                    • API String ID: 221034970-0
                                                    • Opcode ID: e355818817006b765bc9d302ee5cf97eebc986756fff16413e45bff3808d062c
                                                    • Instruction ID: 9f0c2abda8e07195e4bf0f321f31a82c7612ecaf5c8047990b3e76cea93c5393
                                                    • Opcode Fuzzy Hash: e355818817006b765bc9d302ee5cf97eebc986756fff16413e45bff3808d062c
                                                    • Instruction Fuzzy Hash: FAF0C2325002146BD2116B24FC89EFF3AACDB85BA1B00003AFA05A21D2DB28CE4685F8
                                                    Function 004129AA Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 173registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegQueryInfoKeyW.ADVAPI32(?,?,?,00000000,?,?,?,?,?,?,?,?), ref: 00412A1D
                                                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,?,?,?,?,00000000,?,?,?,?), ref: 00412A4C
                                                    • RegEnumValueW.ADVAPI32(?,00000000,?,?,00000000,?,?,00002710,?,?,?,00000000,?,?,?,?), ref: 00412AED
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Enum$InfoQueryValue
                                                    • String ID: [regsplt]$DG
                                                    • API String ID: 3554306468-1089238109
                                                    • Opcode ID: bdfd4bea99a2a56e0bf69a035c0c9d08caa5f3d1df37628ba4533c7e0d6d2cae
                                                    • Instruction ID: a28855c8467dc88eaaa14c2ad720c73ed52e1c745f0e0c0b8cf84a63aeea62c1
                                                    • Opcode Fuzzy Hash: bdfd4bea99a2a56e0bf69a035c0c9d08caa5f3d1df37628ba4533c7e0d6d2cae
                                                    • Instruction Fuzzy Hash: 99512E72108345AFD310EF61D995DEBB7ECEF84744F00493EB585D2191EB74EA088B6A
                                                    Function 0040AE58 Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 87COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 00433529: EnterCriticalSection.KERNEL32(00470D18,?,00475D4C,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433534
                                                      • Part of subcall function 00433529: LeaveCriticalSection.KERNEL32(00470D18,?,0040AE8B,00475D4C,?,00000000,00000000), ref: 00433571
                                                      • Part of subcall function 004338B5: __onexit.LIBCMT ref: 004338BB
                                                    • __Init_thread_footer.LIBCMT ref: 0040AEA7
                                                      • Part of subcall function 004334DF: EnterCriticalSection.KERNEL32(00470D18,00475D4C,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 004334E9
                                                      • Part of subcall function 004334DF: LeaveCriticalSection.KERNEL32(00470D18,?,0040AEAC,00475D4C,00456DA7,?,00000000,00000000), ref: 0043351C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CriticalSection$EnterLeave$Init_thread_footer__onexit
                                                    • String ID: [End of clipboard]$[Text copied to clipboard]$L]G$P]G
                                                    • API String ID: 2974294136-4018440003
                                                    • Opcode ID: b82003dba18b260b6b367d1d56eee30e8a04c9e681fd49378d646ec93357fd77
                                                    • Instruction ID: f936e1d100a0b91fb3cd099947d4fcefdabc4258effb679c9043d151633dcd27
                                                    • Opcode Fuzzy Hash: b82003dba18b260b6b367d1d56eee30e8a04c9e681fd49378d646ec93357fd77
                                                    • Instruction Fuzzy Hash: EF21B131A002158ACB14FB75D8969EE7374AF54318F50403FF902771E2EF386E5A8A8D
                                                    Function 0041CA2F Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 54registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegisterClassExA.USER32(00000030), ref: 0041CA7C
                                                    • CreateWindowExA.USER32(00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,000000FD,00000000,00000000,00000000), ref: 0041CA97
                                                    • GetLastError.KERNEL32 ref: 0041CAA1
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ClassCreateErrorLastRegisterWindow
                                                    • String ID: 0$MsgWindowClass
                                                    • API String ID: 2877667751-2410386613
                                                    • Opcode ID: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
                                                    • Instruction ID: 4bfad48e3247df46523b3088673b608286a28c5fe91561ad906263ccd1e0ab35
                                                    • Opcode Fuzzy Hash: c0911dd88a02fcfaa539e9866612e91b1c0db8d522a7ddfb79423dd2815842ef
                                                    • Instruction Fuzzy Hash: 7501E5B1D1421DAB8B01DFEADCC49EFBBBDBE49295B50452AE415B2200E7708A458BA4
                                                    Function 004069BA Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42processCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406A00
                                                    • CloseHandle.KERNEL32(?), ref: 00406A0F
                                                    • CloseHandle.KERNEL32(?), ref: 00406A14
                                                    Strings
                                                    • C:\Windows\System32\cmd.exe, xrefs: 004069FB
                                                    • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 004069F6
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseHandle$CreateProcess
                                                    • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                                                    • API String ID: 2922976086-4183131282
                                                    • Opcode ID: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                    • Instruction ID: df89934bb1b0a8a8050eda01f74e4a29103dee5852f25f58c468be6e25eb4aa4
                                                    • Opcode Fuzzy Hash: eb4121427644dbe92f0faf5bfcaaefbe4213ddeedd11a12955cf8af7f240737c
                                                    • Instruction Fuzzy Hash: 22F090B69402ADBACB30ABD69C0EFCF7F3CEBC5B10F00042AB605A6051D6705144CAB8
                                                    Function 004425E9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,0044259A,?,?,0044253A,?,0046DAE0,0000000C,00442691,?,00000002), ref: 00442609
                                                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 0044261C
                                                    • FreeLibrary.KERNEL32(00000000,?,?,?,0044259A,?,?,0044253A,?,0046DAE0,0000000C,00442691,?,00000002,00000000), ref: 0044263F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: AddressFreeHandleLibraryModuleProc
                                                    • String ID: CorExitProcess$mscoree.dll
                                                    • API String ID: 4061214504-1276376045
                                                    • Opcode ID: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                    • Instruction ID: e7b95c4573467c94f6f12cd45ce5b447d53bb0dab0bc43500ba4ddd7032d9ec5
                                                    • Opcode Fuzzy Hash: 84f8467b83475f4999ab7b265d6d7c22c059d91a263d45f4d19e228ed4a2ac86
                                                    • Instruction Fuzzy Hash: 99F04430A04209FBDB119F95ED09B9EBFB5EB08756F4140B9F805A2251DF749D41CA9C
                                                    Function 00412774 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegCreateKeyW.ADVAPI32(80000001,00000000,BG), ref: 0041277F
                                                    • RegSetValueExW.ADVAPI32(BG,?,00000000,00000001,00000000,00000000,004742F8,?,0040E5CB,pth_unenc,004742E0), ref: 004127AD
                                                    • RegCloseKey.ADVAPI32(?,?,0040E5CB,pth_unenc,004742E0), ref: 004127B8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseCreateValue
                                                    • String ID: pth_unenc$BG
                                                    • API String ID: 1818849710-2233081382
                                                    • Opcode ID: 2b0b83c385fe9b11323970af50dff3bb0d924dce91bf1d9d78cbef32cf6cf5ea
                                                    • Instruction ID: fff2d7bcc465bc574364a4979b4b77ba115ffea085319746951fe37a0eeb78e5
                                                    • Opcode Fuzzy Hash: 2b0b83c385fe9b11323970af50dff3bb0d924dce91bf1d9d78cbef32cf6cf5ea
                                                    • Instruction Fuzzy Hash: 9FF0CD31500218BBDF109FA0ED46EEF37ACAB40B50F104539F902A60A1E675DB14DAA4
                                                    Function 00404AB1 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,004745A8,00414DB5,00000000,00000000,00000001), ref: 00404AED
                                                    • SetEvent.KERNEL32(00000304), ref: 00404AF9
                                                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00404B04
                                                    • CloseHandle.KERNEL32(00000000), ref: 00404B0D
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                                                    • String ID: KeepAlive | Disabled
                                                    • API String ID: 2993684571-305739064
                                                    • Opcode ID: 706b613343be8dae912c097df07bb168f2a932249c2424fe80eb320cd199b408
                                                    • Instruction ID: 6d19fc1829a92c7d53a4a1495ceb054f41c43dbe57a1f104861afa743dff4d10
                                                    • Opcode Fuzzy Hash: 706b613343be8dae912c097df07bb168f2a932249c2424fe80eb320cd199b408
                                                    • Instruction Fuzzy Hash: CDF0BBB19043007FDB1137759D0E66B7F58AB46325F00457FF892926F1DA38D890C75A
                                                    Function 00419F42 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 00419F74
                                                    • PlaySoundW.WINMM(00000000,00000000), ref: 00419F82
                                                    • Sleep.KERNEL32(00002710), ref: 00419F89
                                                    • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 00419F92
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: PlaySound$HandleLocalModuleSleepTime
                                                    • String ID: Alarm triggered
                                                    • API String ID: 614609389-2816303416
                                                    • Opcode ID: 639ba6f34a921cef31bf8efcaa9c44f722cdb1a3cf49c6cc12d230aeec66adff
                                                    • Instruction ID: 9f384250976fc0018356f16acd63f039c2840ecbd7916ddbe948a6dbceb933d3
                                                    • Opcode Fuzzy Hash: 639ba6f34a921cef31bf8efcaa9c44f722cdb1a3cf49c6cc12d230aeec66adff
                                                    • Instruction Fuzzy Hash: 0AE09A22A0422037862033BA7C0FC2F3E28DAC6B71B4000BFF905A61A2AE540810C6FB
                                                    Function 0041BE7F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 26COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041BF12), ref: 0041BE89
                                                    • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BE96
                                                    • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041BF12), ref: 0041BEA3
                                                    • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041BF12), ref: 0041BEB6
                                                    Strings
                                                    • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041BEA9
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Console$AttributeText$BufferHandleInfoScreen
                                                    • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                                                    • API String ID: 3024135584-2418719853
                                                    • Opcode ID: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
                                                    • Instruction ID: 2ebb83c1e7e70c4501562f07591cf8b091918c9767bda4cb27a2f29097fd03e7
                                                    • Opcode Fuzzy Hash: b49fb2298264b14de8b5a7e9b756d7938e22e1a5816d236ca91e9d4b7b0725d3
                                                    • Instruction Fuzzy Hash: C7E04F62104348ABD31437F5BC8ECAB3B7CE784613B100536F612903D3EA7484448A79
                                                    Function 0044017A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                                    • Instruction ID: 7508e0c950cfb5c07cf094bbf9e96825b82cecf32722f8b1b9d99ff1c2b3a0ae
                                                    • Opcode Fuzzy Hash: 5145828a6066f50cf31ff859ee0e23af4d85e603a01b225214a849b1d7000abc
                                                    • Instruction Fuzzy Hash: 0171C5319043169BEB21CF55C884ABFBB75FF51360F14426BEE50A7281C7B89C61CBA9
                                                    Function 00410B19 Relevance: 7.7, APIs: 5, Instructions: 198memoryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 004105B9: SetLastError.KERNEL32(0000000D,00410B38,?,00000000), ref: 004105BF
                                                    • GetNativeSystemInfo.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410BC4
                                                    • GetProcessHeap.KERNEL32(00000008,00000040,?,?,00000000), ref: 00410C2A
                                                    • HeapAlloc.KERNEL32(00000000,?,?,00000000), ref: 00410C31
                                                    • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00410D3F
                                                    • SetLastError.KERNEL32(000000C1,?,00000000,?,?,?,?,?,?,?,?,?,?,?,?,00410B15), ref: 00410D69
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$Heap$AllocInfoNativeProcessSystem
                                                    • String ID:
                                                    • API String ID: 3525466593-0
                                                    • Opcode ID: d29f1b7113f080e4870f36b8e837f1b4da9fc16b6a23fadf89bc0212f3888b6d
                                                    • Instruction ID: 8d6069787765cd8089b920b9a1774e70d04059e2b0db351aafb66b48fc3d0dee
                                                    • Opcode Fuzzy Hash: d29f1b7113f080e4870f36b8e837f1b4da9fc16b6a23fadf89bc0212f3888b6d
                                                    • Instruction Fuzzy Hash: 3161C370200301ABD720DF66C981BA77BA6BF44744F04411AF9058B786EBF8E8C5CB99
                                                    Function 004430A8 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free
                                                    • String ID:
                                                    • API String ID: 269201875-0
                                                    • Opcode ID: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                    • Instruction ID: 83c4e6e90d702b2f07d890eb74d666dbf881ebcc09a41958ef300e35f10bd01d
                                                    • Opcode Fuzzy Hash: f0a2e76299140c1b889b6a2776586b742041be663085ede9ef76686f57abf0cb
                                                    • Instruction Fuzzy Hash: 6041F732A002049FEB24DF79C881A5EB7B5EF89718F1585AEE515EB341DB35EE01CB84
                                                    Function 0044FEE3 Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(?,00000000,?,?,00000000,00000000,0043E3FD,?,00000000,?,00000001,?,?,00000001,0043E3FD,?), ref: 0044FF30
                                                    • __alloca_probe_16.LIBCMT ref: 0044FF68
                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0044FFB9
                                                    • GetStringTypeW.KERNEL32(?,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,004399CF,?), ref: 0044FFCB
                                                    • __freea.LIBCMT ref: 0044FFD4
                                                      • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                                                    • String ID:
                                                    • API String ID: 313313983-0
                                                    • Opcode ID: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
                                                    • Instruction ID: e1bca46ef404bc628c8ce9314a93e43560c5f9fd50e6ec62d56fad3e85d1de09
                                                    • Opcode Fuzzy Hash: f170efb2dc1c6de9df76393386ebf7cd534c4364e4366eebd744cf228c8edce4
                                                    • Instruction Fuzzy Hash: B731DC32A0020AABEB248F65DC81EAF7BA5EB01314F04417AFC05D7251E739DD59CBA8
                                                    Function 0044E14B Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetEnvironmentStringsW.KERNEL32 ref: 0044E154
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044E177
                                                      • Part of subcall function 00446B0F: RtlAllocateHeap.NTDLL(00000000,00434413,?,?,00437237,?,?,?,?,?,0040CC87,00434413,?,?,?,?), ref: 00446B41
                                                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044E19D
                                                    • _free.LIBCMT ref: 0044E1B0
                                                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044E1BF
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                                                    • String ID:
                                                    • API String ID: 336800556-0
                                                    • Opcode ID: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                                    • Instruction ID: 6461b62384d036c2086eeacc55d57ac9fa1e09cc40192d7ba399f745acfb761f
                                                    • Opcode Fuzzy Hash: a9616c8c015984253ca72814521cc13fd9597de4e0bdad696dd641cecd3264f2
                                                    • Instruction Fuzzy Hash: 7301D4726417117F33215AB76C8CC7B7A6DEAC6FA5319013AFC04D2241DA788C0291B9
                                                    Function 00446F53 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLastError.KERNEL32(0000000A,0000000B,0000000A,00445369,00440AAB,00000000,?,?,?,?,00440C8E,00000000,0000000A,000000FF,0000000A,00000000), ref: 00446F58
                                                    • _free.LIBCMT ref: 00446F8D
                                                    • _free.LIBCMT ref: 00446FB4
                                                    • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FC1
                                                    • SetLastError.KERNEL32(00000000,0000000A,00000000), ref: 00446FCA
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorLast$_free
                                                    • String ID:
                                                    • API String ID: 3170660625-0
                                                    • Opcode ID: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                    • Instruction ID: 63179894ab579f9662c65df04eda1c4e2cfad31ee62bae45dd706db9c2735e37
                                                    • Opcode Fuzzy Hash: d9a11e8b10a3382acc57acd06360e0df9f500200efacd02ff515e0ca4c66fe47
                                                    • Instruction Fuzzy Hash: 4F01D67620C7006BF61227757C85D2B1669EBC3776727013FF859A2292EE6CCC0A415F
                                                    Function 0041B38D Relevance: 7.5, APIs: 5, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                                    • OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                                    • GetProcessImageFileNameW.PSAPI(00000000,?,00000104,?,00000000,00000000,00000000), ref: 0041B3D8
                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3E3
                                                    • CloseHandle.KERNEL32(00000000,?,00000000,00000000,00000000), ref: 0041B3EB
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$CloseHandleOpen$FileImageName
                                                    • String ID:
                                                    • API String ID: 2951400881-0
                                                    • Opcode ID: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                                    • Instruction ID: d8943217945b3e3bc9c1dbf33fc4ac7f726da2cd485b5cd5dbfa96192dfeb6c9
                                                    • Opcode Fuzzy Hash: db4a41822c85b6549257f18fa46790b7e5e5d5e6a524df97c50e7420b53bdc77
                                                    • Instruction Fuzzy Hash: 67F04971204209ABD3026794AC4AFEBB26CDF44B96F000037FA11D22A2FF74CCC146A9
                                                    Function 0044F7AD Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 0044F7C5
                                                      • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                                      • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                                    • _free.LIBCMT ref: 0044F7D7
                                                    • _free.LIBCMT ref: 0044F7E9
                                                    • _free.LIBCMT ref: 0044F7FB
                                                    • _free.LIBCMT ref: 0044F80D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                    • Instruction ID: 070623068f58a673a03bb4c9f7ddd8597c716d05cca38f31fa25b5a97b2bc473
                                                    • Opcode Fuzzy Hash: 24d082c4c32556380d94a426a0797d769337f58152c77e2724906da83e703e03
                                                    • Instruction Fuzzy Hash: CBF01232505610ABA620EB59F9C1C1773EAEA427247A5882BF048F7A41C77DFCC0866C
                                                    Function 004432F7 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00443315
                                                      • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                                      • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                                    • _free.LIBCMT ref: 00443327
                                                    • _free.LIBCMT ref: 0044333A
                                                    • _free.LIBCMT ref: 0044334B
                                                    • _free.LIBCMT ref: 0044335C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$ErrorFreeHeapLast
                                                    • String ID:
                                                    • API String ID: 776569668-0
                                                    • Opcode ID: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                    • Instruction ID: ba617ab3bec5ed021708e8d9793ec2f19a393bb4d037fa002b455214101d6763
                                                    • Opcode Fuzzy Hash: ab870860b33c9a3cd44b9e2e3565930e421ff68453c6808a8f097650461ead98
                                                    • Instruction Fuzzy Hash: E1F03AB08075208FA712AF6DBD014493BA1F706764342513BF41AB2A71EB780D81DA8E
                                                    Function 00416751 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 182threadwindowCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetWindowThreadProcessId.USER32(?,?), ref: 00416768
                                                    • GetWindowTextW.USER32(?,?,0000012C), ref: 0041679A
                                                    • IsWindowVisible.USER32(?), ref: 004167A1
                                                      • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000,00000000), ref: 0041B3A5
                                                      • Part of subcall function 0041B38D: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,00000000,00000000), ref: 0041B3B8
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ProcessWindow$Open$TextThreadVisible
                                                    • String ID: (FG
                                                    • API String ID: 3142014140-2273637114
                                                    • Opcode ID: 9c79950384effebaea9bf5315d724d682c4e552b57ef82da1617336c4fbf6aa3
                                                    • Instruction ID: 0f4eca603db080fccf2d1fd4ef2663101a063c6717372172f7cb8e83fece0a9a
                                                    • Opcode Fuzzy Hash: 9c79950384effebaea9bf5315d724d682c4e552b57ef82da1617336c4fbf6aa3
                                                    • Instruction Fuzzy Hash: 4871E5321082454AC325FB61D8A5ADFB3E4AFE4308F50453EF58A530E1EF746A49CB9A
                                                    Function 0044D469 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _strpbrk.LIBCMT ref: 0044D4B8
                                                    • _free.LIBCMT ref: 0044D5D5
                                                      • Part of subcall function 0043A864: IsProcessorFeaturePresent.KERNEL32(00000017,0043A836,00000000,0000000A,0000000A,00000000,0041AD77,00000022,?,?,0043A843,00000000,00000000,00000000,00000000,00000000), ref: 0043A866
                                                      • Part of subcall function 0043A864: GetCurrentProcess.KERNEL32(C0000417,0000000A,00000000), ref: 0043A888
                                                      • Part of subcall function 0043A864: TerminateProcess.KERNEL32(00000000), ref: 0043A88F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                                                    • String ID: *?$.
                                                    • API String ID: 2812119850-3972193922
                                                    • Opcode ID: 3ccd6c7c6263025d80bbf4df8e19646480fb990c35b4b1cfbff97afb24dbcef1
                                                    • Instruction ID: 5f997c8b803d418df4da1c9987192ed3b052b04d21a58de33721a68e59565ce0
                                                    • Opcode Fuzzy Hash: 3ccd6c7c6263025d80bbf4df8e19646480fb990c35b4b1cfbff97afb24dbcef1
                                                    • Instruction Fuzzy Hash: AC519571D00209AFEF14DFA9C841AAEB7B5EF58318F24816FE454E7341DA799E01CB54
                                                    Function 004095D6 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 158COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyboardLayoutNameA.USER32(?), ref: 00409601
                                                      • Part of subcall function 004041F1: socket.WS2_32(?,00000001,00000006), ref: 00404212
                                                      • Part of subcall function 0040428C: connect.WS2_32(?,?,?), ref: 004042A5
                                                      • Part of subcall function 0041B6BA: CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,?,00000000,00409689,00473EE8,?,00473EE8,00000000,00473EE8,00000000), ref: 0041B6CF
                                                      • Part of subcall function 00404468: send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateFileKeyboardLayoutNameconnectsendsocket
                                                    • String ID: XCG$`AG$>G
                                                    • API String ID: 2334542088-2372832151
                                                    • Opcode ID: 00ea031b35fe0dcf3e6aee1b05692aa2f53a6727008682770bd88c291a01c214
                                                    • Instruction ID: 51992e77998e29381c1adf086b38d2340c1e01042c89ae8fe5bc0f900910b53e
                                                    • Opcode Fuzzy Hash: 00ea031b35fe0dcf3e6aee1b05692aa2f53a6727008682770bd88c291a01c214
                                                    • Instruction Fuzzy Hash: 5E5132321042405AC325F775D8A2AEF73E5ABE4308F50493FF94A631E2EE785949C69E
                                                    Function 004426E4 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameA.KERNEL32(00000000,C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe,00000104), ref: 00442724
                                                    • _free.LIBCMT ref: 004427EF
                                                    • _free.LIBCMT ref: 004427F9
                                                    Strings
                                                    • C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe, xrefs: 0044271B, 00442722, 00442751, 00442789
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free$FileModuleName
                                                    • String ID: C:\Users\user\Desktop\17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f4521342673.dat-decoded.exe
                                                    • API String ID: 2506810119-1959031193
                                                    • Opcode ID: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                                    • Instruction ID: a09326ba0634f9fc59332e3a0850bb80beab61cea56b0999b5ec2e0ea5ed553b
                                                    • Opcode Fuzzy Hash: 517ef8501d39ed80bd5d3989cd54e6cd38b7eb486680de81052e85c6479d25b4
                                                    • Instruction Fuzzy Hash: 04318075A00218AFEB21DF999D8199EBBFCEB85354B50406BF80497311D6B88E81CB59
                                                    Function 00404468 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 92synchronizationnetworkCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • send.WS2_32(000002FC,00000000,00000000,00000000), ref: 004044FD
                                                    • WaitForSingleObject.KERNEL32(00000328,00000000,LAL,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000), ref: 0040450E
                                                    • SetEvent.KERNEL32(00000328,?,?,00000004,?,?,00000004,00473EE8,004745A8,00000000,?,?,?,?,?,00414CE9), ref: 0040453C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: EventObjectSingleWaitsend
                                                    • String ID: LAL
                                                    • API String ID: 3963590051-3302426157
                                                    • Opcode ID: 889e258d40d688e8ee903db4c56f8f2297e8d08d484f71769d69523f674e6bf6
                                                    • Instruction ID: 8f6f307dcfa5e25975ae7096dc57d747427bb4b25c3784bf73346896dbb4b4c1
                                                    • Opcode Fuzzy Hash: 889e258d40d688e8ee903db4c56f8f2297e8d08d484f71769d69523f674e6bf6
                                                    • Instruction Fuzzy Hash: B82123B29001196BCF04ABA5DC96DEE777CBF54358B00413EF916B21E1EA78AA04D6A4
                                                    Function 00403A10 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 92sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00403A2A
                                                      • Part of subcall function 0041AB48: GetCurrentProcessId.KERNEL32(00000000,75923530,00000000,?,?,?,?,00465900,0040C07B,.vbs,?,?,?,?,?,004742F8), ref: 0041AB6F
                                                      • Part of subcall function 004176B6: CloseHandle.KERNEL32(00403AB9,?,?,00403AB9,00465324), ref: 004176CC
                                                      • Part of subcall function 004176B6: CloseHandle.KERNEL32($SF,?,?,00403AB9,00465324), ref: 004176D5
                                                      • Part of subcall function 0041B62A: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                                    • Sleep.KERNEL32(000000FA,00465324), ref: 00403AFC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                                                    • String ID: /sort "Visit Time" /stext "$8>G
                                                    • API String ID: 368326130-2663660666
                                                    • Opcode ID: 247849771554e330f4c56d3a549adbf02a50afc28c9a0bb45716f413473523db
                                                    • Instruction ID: 14a2de6876ab63adfaf4c6869ac5cc0218acab93288f76d9a5f97452818968e4
                                                    • Opcode Fuzzy Hash: 247849771554e330f4c56d3a549adbf02a50afc28c9a0bb45716f413473523db
                                                    • Instruction Fuzzy Hash: 36317331A0021556CB14FBB6DC969EE7775AF90318F40007FF906B71D2EF385A8ACA99
                                                    Function 0040A876 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 67timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                    • wsprintfW.USER32 ref: 0040A905
                                                      • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: EventLocalTimewsprintf
                                                    • String ID: [%04i/%02i/%02i %02i:%02i:%02i $]
                                                    • API String ID: 1497725170-1359877963
                                                    • Opcode ID: f1131f2c5aa9efe0aa35bfe1aadc190762ac6710f9a6fccd412707abd6ba0ca2
                                                    • Instruction ID: fc972a95d23854bc9b4bbea89c8e615d9b1bb69bfa4db415bad433d1ad0b57c3
                                                    • Opcode Fuzzy Hash: f1131f2c5aa9efe0aa35bfe1aadc190762ac6710f9a6fccd412707abd6ba0ca2
                                                    • Instruction Fuzzy Hash: 5A118172400118AACB18FB56EC55CFE77B8AE48325F00013FF842620D1EF7C5A86C6E8
                                                    Function 0040A611 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 64threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                      • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    • CreateThread.KERNEL32(00000000,00000000,Function_00009993,?,00000000,00000000), ref: 0040A691
                                                    • CreateThread.KERNEL32(00000000,00000000,Function_000099B5,?,00000000,00000000), ref: 0040A69D
                                                    • CreateThread.KERNEL32(00000000,00000000,004099C1,?,00000000,00000000), ref: 0040A6A9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CreateThread$LocalTime$wsprintf
                                                    • String ID: Online Keylogger Started
                                                    • API String ID: 112202259-1258561607
                                                    • Opcode ID: 35bc90d2576dbeac95018a630539701253067ab5c51327a8f4703c5e34731f69
                                                    • Instruction ID: 11da804b7f4806bc819379157d14523832a74cbdaa40f75774c11a3885c9476d
                                                    • Opcode Fuzzy Hash: 35bc90d2576dbeac95018a630539701253067ab5c51327a8f4703c5e34731f69
                                                    • Instruction Fuzzy Hash: 8A01C4916003093AE62076368C8BDBF3A6DCA813A8F40043EF541362C3E97D5D5582FB
                                                    Function 0044AA83 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 61COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • CloseHandle.KERNEL32(00000000,00000000,`@,?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAD9
                                                    • GetLastError.KERNEL32(?,0044A9A1,`@,0046DD28,0000000C), ref: 0044AAE3
                                                    • __dosmaperr.LIBCMT ref: 0044AB0E
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseErrorHandleLast__dosmaperr
                                                    • String ID: `@
                                                    • API String ID: 2583163307-951712118
                                                    • Opcode ID: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                    • Instruction ID: 27d3a2ced18f85a81fd98b99658ced531467de2cab5132fdd739c317d4e1371d
                                                    • Opcode Fuzzy Hash: e5cf9cf0863519c22c59f520a66439faf8bffb0939932f5db486048d3d382d3d
                                                    • Instruction Fuzzy Hash: 56016F3664452016F7215274694977F774D8B42738F25036FF904972D2DD6D8CC5C19F
                                                    Function 00404B29 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 47synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00404B26), ref: 00404B40
                                                    • CloseHandle.KERNEL32(?,?,?,?,00404B26), ref: 00404B98
                                                    • SetEvent.KERNEL32(?,?,?,?,00404B26), ref: 00404BA7
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseEventHandleObjectSingleWait
                                                    • String ID: Connection Timeout
                                                    • API String ID: 2055531096-499159329
                                                    • Opcode ID: f305bfd07311d1c13337a4e5318bcab9ce6904fe2946ae268386a72c1b1384b4
                                                    • Instruction ID: 87453c7fdf87cbb5f51522b6001dca4eac29197b42c1cd59420238f874304a49
                                                    • Opcode Fuzzy Hash: f305bfd07311d1c13337a4e5318bcab9ce6904fe2946ae268386a72c1b1384b4
                                                    • Instruction Fuzzy Hash: 5F01F5B1900B41AFD325BB3A9C4655ABBE0AB45315700053FF6D396BB1DA38E840CB5A
                                                    Function 0040CDBE Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040CDC9
                                                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040CE08
                                                      • Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 004347EC
                                                      • Part of subcall function 004347CD: _Yarn.LIBCPMT ref: 00434810
                                                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040CE2C
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                                                    • String ID: bad locale name
                                                    • API String ID: 3628047217-1405518554
                                                    • Opcode ID: ea2ce83f6b871e45ddc414103f177035841d2320bb142f548fd828e1a6c8a0e7
                                                    • Instruction ID: 10a02b8eb17e148bebaf39200f5874f6183f8458c9cdff10c330f193d408b506
                                                    • Opcode Fuzzy Hash: ea2ce83f6b871e45ddc414103f177035841d2320bb142f548fd828e1a6c8a0e7
                                                    • Instruction Fuzzy Hash: 3FF0A471400204EAC324FB23D853ACA73649F54748F90497FB446214D2FF3CB618CA8C
                                                    Function 004151B2 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 27COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151F4
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExecuteShell
                                                    • String ID: /C $cmd.exe$open
                                                    • API String ID: 587946157-3896048727
                                                    • Opcode ID: ee6d09c7a5be61fc2c77f0fe381f15b1933766d643093560b744fac4f5f657b7
                                                    • Instruction ID: 3ae8c2b06d9b1922b9065f49b1512f2a4b1b87a12dccb2265ed1bd098505db2c
                                                    • Opcode Fuzzy Hash: ee6d09c7a5be61fc2c77f0fe381f15b1933766d643093560b744fac4f5f657b7
                                                    • Instruction Fuzzy Hash: D8E030701043006AC708FB61DC95C7F77AC9A80708F10083EB542A21E2EF3CA949C65E
                                                    Function 0040AFBA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 20threadCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • TerminateThread.KERNEL32(Function_000099A9,00000000,004742F8,pth_unenc,0040BF26,004742E0,004742F8,?,pth_unenc), ref: 0040AFC9
                                                    • UnhookWindowsHookEx.USER32(004740F8), ref: 0040AFD5
                                                    • TerminateThread.KERNEL32(Function_00009993,00000000,?,pth_unenc), ref: 0040AFE3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: TerminateThread$HookUnhookWindows
                                                    • String ID: pth_unenc
                                                    • API String ID: 3123878439-4028850238
                                                    • Opcode ID: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                    • Instruction ID: c35477c7b81069fed5c639b3d306817a7c517f63bcb5e1090982200d4e51bed9
                                                    • Opcode Fuzzy Hash: 46dff24612c1799e978f47a7720dcdfa0824c6f48cf00f8dbc5bb460590095c7
                                                    • Instruction Fuzzy Hash: 32E01DB1209317DFD3101F546C84825B799EB44356324047FF6C155252C5798C54C759
                                                    Function 00448D1B Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: __alldvrm$_strrchr
                                                    • String ID:
                                                    • API String ID: 1036877536-0
                                                    • Opcode ID: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                                    • Instruction ID: 44e25d054e292963cfc005d68317528f4d38ac36d82b99eb29904231438c363e
                                                    • Opcode Fuzzy Hash: 63f75d4c6ddf9dfadee5a9a28b1451e266bcc439c32975fae3941ae33d1a5297
                                                    • Instruction Fuzzy Hash: C5A14671A042469FFB218F58C8817AFBBA1EF25354F28416FE5859B382CA3C8D45C759
                                                    Function 004559DA Relevance: 6.2, APIs: 4, Instructions: 152COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _free
                                                    • String ID:
                                                    • API String ID: 269201875-0
                                                    • Opcode ID: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
                                                    • Instruction ID: 20fe87377ae66d6b83c96c89e5a9e0461ad99f2e5d6db859ec29947640f8945c
                                                    • Opcode Fuzzy Hash: fc29a47a32afb3350fc3e3c96543f328580f9b5143c0f3ce58bfce5294a38304
                                                    • Instruction Fuzzy Hash: CB412D31A00E005BEF24AAB94CD567F37A4EF05775F18031FFC1496293D67C8C05869A
                                                    Function 00441A91 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                                    • Instruction ID: 06af4f468b8ce8c690b0d071e5f1d97fd8a921e774867ed9179d92c0916ed768
                                                    • Opcode Fuzzy Hash: d2c3ac181d975cfacaee5c3ec40136b8bdf5b2422b9dd14ab5655829a2308330
                                                    • Instruction Fuzzy Hash: 3A412971A00744AFE724AF79CC41BAABBE8EB88714F10452FF511DB291E779A9818784
                                                    Function 0040B806 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 103sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    • Cleared browsers logins and cookies., xrefs: 0040B8EF
                                                    • [Cleared browsers logins and cookies.], xrefs: 0040B8DE
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Sleep
                                                    • String ID: [Cleared browsers logins and cookies.]$Cleared browsers logins and cookies.
                                                    • API String ID: 3472027048-1236744412
                                                    • Opcode ID: d2a0294277962853990a195d18ad75d93c5fb84cb6733bcbd89099a09a5abd0a
                                                    • Instruction ID: 79c0b3a62e4074401f8092341c6d65849921352ddae30cadc40705057ad9e0e2
                                                    • Opcode Fuzzy Hash: d2a0294277962853990a195d18ad75d93c5fb84cb6733bcbd89099a09a5abd0a
                                                    • Instruction Fuzzy Hash: FC31891564C3816ACA11777514167EB6F958A93754F0884BFF8C42B3E3DB7A480893EF
                                                    Function 00411524 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 93sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041265D: RegOpenKeyExA.KERNEL32(80000001,00000000,00000000,00020019,00000000,004742F8), ref: 00412679
                                                      • Part of subcall function 0041265D: RegQueryValueExA.KERNEL32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412692
                                                      • Part of subcall function 0041265D: RegCloseKey.KERNEL32(00000000), ref: 0041269D
                                                    • Sleep.KERNEL32(00000BB8), ref: 004115C3
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: CloseOpenQuerySleepValue
                                                    • String ID: @CG$exepath$BG
                                                    • API String ID: 4119054056-3221201242
                                                    • Opcode ID: efcd0af1208699037f09edad500f6ec840cfbf7b9737e1f52f1688804d5b7727
                                                    • Instruction ID: 3bb97b322c4281cea59bb4e220ac43bd532ded5f68553a77fc2ada00b9ce30da
                                                    • Opcode Fuzzy Hash: efcd0af1208699037f09edad500f6ec840cfbf7b9737e1f52f1688804d5b7727
                                                    • Instruction Fuzzy Hash: EC21F4A0B002042BD614B77A6C06ABF724E8BD1308F00457FBD4AA72D3DF7D9D4581AD
                                                    Function 0041A99A Relevance: 6.1, APIs: 4, Instructions: 78timesleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: SystemTimes$Sleep__aulldiv
                                                    • String ID:
                                                    • API String ID: 188215759-0
                                                    • Opcode ID: a7aecd4cc0fde8f7b051f4ea324c4733a42c71902c3a125d4e8e0ff6e46eea08
                                                    • Instruction ID: a679ad691b1e431344cd65e278b90b5c6278f623fb05ceb41248f345421e7781
                                                    • Opcode Fuzzy Hash: a7aecd4cc0fde8f7b051f4ea324c4733a42c71902c3a125d4e8e0ff6e46eea08
                                                    • Instruction Fuzzy Hash: 30215E725093009BC304DFA5D98589FB7E8EFC8754F044A2EF585D3251EA35EA49CBA3
                                                    Function 00409C4B Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 71sleepCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0041B6F6: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041B706
                                                      • Part of subcall function 0041B6F6: GetWindowTextLengthW.USER32(00000000), ref: 0041B70F
                                                      • Part of subcall function 0041B6F6: GetWindowTextW.USER32(00000000,00000000,00000001), ref: 0041B739
                                                    • Sleep.KERNEL32(000001F4), ref: 00409C95
                                                    • Sleep.KERNEL32(00000064), ref: 00409D1F
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Window$SleepText$ForegroundLength
                                                    • String ID: [ $ ]
                                                    • API String ID: 3309952895-93608704
                                                    • Opcode ID: d9bb369aee4f6e2201f2c860cf6756c16528595133d71e2ae5baff2000eb7cae
                                                    • Instruction ID: 884b77faaa60fb736012887943be30d2742787962025037229812ea18f618e82
                                                    • Opcode Fuzzy Hash: d9bb369aee4f6e2201f2c860cf6756c16528595133d71e2ae5baff2000eb7cae
                                                    • Instruction Fuzzy Hash: 2E119F325042005BD218BB26DD17AAEB7A8AF50708F40047FF542221D3EF39AE1986DF
                                                    Function 00442CE2 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                    • Instruction ID: dab0b0a7df633c5b48e856b81aae527c8b914588f9bdc990e5f583acd93a84b2
                                                    • Opcode Fuzzy Hash: 18f7b12d8fbd203e6fe2bd4c4423912ade4cd6e2ab417617722edd39325a2eb9
                                                    • Instruction Fuzzy Hash: 5701F2F2A097163EF62116792CC0F6B670DDF413B9B31073BB921622E1EAE8CC42506C
                                                    Function 00442D61 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                                                    Download Yara Rule
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID:
                                                    • API String ID:
                                                    • Opcode ID: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                    • Instruction ID: 297bbf4b6e7cb62aad9c1df2c980cfc74e2a715ef03096c7e716b38b90e38ed5
                                                    • Opcode Fuzzy Hash: 8aedf970bdaeb9d9c72bc659829c2e19759f544123fe9e87a80c2ba2346fca48
                                                    • Instruction Fuzzy Hash: 5401D1F2A096167EB7201A7A7DC0D67624EDF823B9371033BF421612D5EAA88C408179
                                                    Function 00438105 Relevance: 6.1, APIs: 4, Instructions: 53COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • ___BuildCatchObject.LIBVCRUNTIME ref: 0043811F
                                                      • Part of subcall function 0043806C: BuildCatchObjectHelperInternal.LIBVCRUNTIME ref: 0043809B
                                                      • Part of subcall function 0043806C: ___AdjustPointer.LIBCMT ref: 004380B6
                                                    • _UnwindNestedFrames.LIBCMT ref: 00438134
                                                    • __FrameHandler3::FrameUnwindToState.LIBVCRUNTIME ref: 00438145
                                                    • CallCatchBlock.LIBVCRUNTIME ref: 0043816D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Catch$BuildFrameObjectUnwind$AdjustBlockCallFramesHandler3::HelperInternalNestedPointerState
                                                    • String ID:
                                                    • API String ID: 737400349-0
                                                    • Opcode ID: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                    • Instruction ID: b756294ed3ea81ca49fa364012696409ae819ba0eb544c37e892c8a1feda9a6f
                                                    • Opcode Fuzzy Hash: c8370f5f766c88f9b882548d03e746073a9763e8d7037f7b78bb80a5d64990c6
                                                    • Instruction Fuzzy Hash: D7012D72100208BBDF126E96CC45DEB7B69EF4C758F04501DFE4866121C73AE862DBA4
                                                    Function 00447220 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,004471C7,00000000,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue), ref: 00447252
                                                    • GetLastError.KERNEL32(?,004471C7,00000000,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000,00000364,?,00446FA1), ref: 0044725E
                                                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,004471C7,00000000,00000000,00000000,00000000,?,004474F3,00000006,FlsSetValue,0045D328,FlsSetValue,00000000), ref: 0044726C
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LibraryLoad$ErrorLast
                                                    • String ID:
                                                    • API String ID: 3177248105-0
                                                    • Opcode ID: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                    • Instruction ID: b3fe555fe56df17639c4036f58dc3a809bdc468a9df6621700516029eed46faf
                                                    • Opcode Fuzzy Hash: ae052748fea16bfd64aed14cfe47709c8c773e0353203442da9e9610ebb1fa47
                                                    • Instruction Fuzzy Hash: 0D01D432649323ABD7214B79BC44A5737D8BB05BA2B2506B1F906E3241D768D802CAE8
                                                    Function 0041B62A Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409F65), ref: 0041B643
                                                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0041B657
                                                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041B67C
                                                    • CloseHandle.KERNEL32(00000000), ref: 0041B68A
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: File$CloseCreateHandleReadSize
                                                    • String ID:
                                                    • API String ID: 3919263394-0
                                                    • Opcode ID: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                    • Instruction ID: 3f34627ebf18732c46889562bde790f52735f321db32931f0b6625c87776b378
                                                    • Opcode Fuzzy Hash: 5b639659936e0bf80293aa969ecd5facc1abbd81689efef7b5bf737102e1771e
                                                    • Instruction Fuzzy Hash: 81F0F6B12053047FE6101B21BC85FBF375CDB967A5F00027EFC01A22D1DA658C4591BA
                                                    Function 0041851C Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetSystemMetrics.USER32(0000004C), ref: 00418529
                                                    • GetSystemMetrics.USER32(0000004D), ref: 0041852F
                                                    • GetSystemMetrics.USER32(0000004E), ref: 00418535
                                                    • GetSystemMetrics.USER32(0000004F), ref: 0041853B
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: MetricsSystem
                                                    • String ID:
                                                    • API String ID: 4116985748-0
                                                    • Opcode ID: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
                                                    • Instruction ID: f480d68fafb364c29fc67a5f666d93eee18e0abee54110dfc95006384cbaadd6
                                                    • Opcode Fuzzy Hash: a3bedc3d93ee6e0b45313aeec5082688588fe46082e633aeec829f05b9632c7f
                                                    • Instruction Fuzzy Hash: 72F0D672B043256BCA00EA7A4C4156FAB97DFC46A4F25083FE6059B341DE78EC4647D9
                                                    Function 00441EED Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • __startOneArgErrorHandling.LIBCMT ref: 00441F7D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorHandling__start
                                                    • String ID: pow
                                                    • API String ID: 3213639722-2276729525
                                                    • Opcode ID: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                    • Instruction ID: b0758be5652a64c1ac5d647a76b92dde9bac1040a8da8be5e5c84d6172790ea5
                                                    • Opcode Fuzzy Hash: c11d7b0c0eb8e10153fe90c38a808d625a788e1790705f3c08302100bb714254
                                                    • Instruction Fuzzy Hash: E6515A61A0A20296F7117B14C98136F6B949B50741F288D6BF085823F9EF3DCCDB9A4E
                                                    Function 00420F7E Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 178COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: _memcmp
                                                    • String ID: 4[G$4[G
                                                    • API String ID: 2931989736-4028565467
                                                    • Opcode ID: 499d9a999da2a443c979618ec85ef4d06b5b2aab7498d5870cc08a11d2f7c627
                                                    • Instruction ID: 33b36a833443cc607bae0a2c4f054eab59dd7b99d1d8389eb50a0704093c1055
                                                    • Opcode Fuzzy Hash: 499d9a999da2a443c979618ec85ef4d06b5b2aab7498d5870cc08a11d2f7c627
                                                    • Instruction Fuzzy Hash: E56110716047069AC714DF28D8406B3B7A8FF98304F44063EEC5D8F656E778AA25CBAD
                                                    Function 0044DB44 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 132COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetCPInfo.KERNEL32(?,?,00000005,?,00000000), ref: 0044DB69
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Info
                                                    • String ID: $vD
                                                    • API String ID: 1807457897-3636070802
                                                    • Opcode ID: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                    • Instruction ID: 639e137743dbd1cdb094e6b6e994140176401b7572b89e22c1ac552797110b95
                                                    • Opcode Fuzzy Hash: af305b060504fe74110eba1b75a066a7b29ec04ef294ab3684049637f65bd75b
                                                    • Instruction Fuzzy Hash: 6A411C709043889AEF218F24CCC4AF6BBF9DF45308F1404EEE58A87242D279AA45DF65
                                                    Function 00417BEC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 92COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417C18
                                                      • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C2B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                    • SHCreateMemStream.SHLWAPI(00000000), ref: 00417C65
                                                      • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C81,00000000,?,?), ref: 00417827
                                                      • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CDC), ref: 004177CE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                    • String ID: image/jpeg
                                                    • API String ID: 1291196975-3785015651
                                                    • Opcode ID: d4376d3aa41ba41f336d454eb71a79e6a36b8bd1c58ceebdc91cf2e64db4f38d
                                                    • Instruction ID: 3c33996df4896106dd3ee16a81609d02114e1f450a3ece369daacccd15328daf
                                                    • Opcode Fuzzy Hash: d4376d3aa41ba41f336d454eb71a79e6a36b8bd1c58ceebdc91cf2e64db4f38d
                                                    • Instruction Fuzzy Hash: 72315C75508300AFC301AF65C884DAFBBF9FF8A704F000A2EF94597251DB79A905CBA6
                                                    Function 004508EE Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450B49,?,00000050,?,?,?,?,?), ref: 004509C9
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: ACP$OCP
                                                    • API String ID: 0-711371036
                                                    • Opcode ID: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                    • Instruction ID: 0ee4350655218b6c75cd3052c0190142cf4d5733969cac988e1a0851f3347a37
                                                    • Opcode Fuzzy Hash: c357b999de04d1742fe2857fcf8a245ff63c46433d95171d83c673f3fe2cd13c
                                                    • Instruction Fuzzy Hash: 832148EBA00100A6F7308F55C801B9773AAAB90B23F564426EC49D730BF73ADE08C358
                                                    Function 00417CE9 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • SHCreateMemStream.SHLWAPI(00000000,00000000,?,?,?,00000000), ref: 00417D04
                                                      • Part of subcall function 004177A2: GdipLoadImageFromStream.GDIPLUS(?,?,?,00417C2B,00000000,?,?,?,?,00000000), ref: 004177B6
                                                    • SHCreateMemStream.SHLWAPI(00000000,00000000,00000000,?,?,?,?,00000000), ref: 00417D29
                                                      • Part of subcall function 00417815: GdipSaveImageToStream.GDIPLUS(?,?,?,?,00000000,00417C81,00000000,?,?), ref: 00417827
                                                      • Part of subcall function 004177C5: GdipDisposeImage.GDIPLUS(?,00417CDC), ref: 004177CE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: Stream$GdipImage$Create$DisposeFromLoadSave
                                                    • String ID: image/png
                                                    • API String ID: 1291196975-2966254431
                                                    • Opcode ID: 157e3c84acb298c00b8a811f8dbb714bd95cc3abe4333fe7ddc149ff661122fd
                                                    • Instruction ID: 1f40aeda14031b83fd9eea2ddee5e82f5a36372f8d90ac1696f7ac499827f772
                                                    • Opcode Fuzzy Hash: 157e3c84acb298c00b8a811f8dbb714bd95cc3abe4333fe7ddc149ff661122fd
                                                    • Instruction Fuzzy Hash: 4621A135204211AFC300AF61CC88CAFBBBDEFCA755F10052EF90693151DB399945CBA6
                                                    Function 004049BA Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 004049F1
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    • GetLocalTime.KERNEL32(?,00473EE8,004745A8,?,?,?,?,?,?,?,00414D7D,?,00000001,0000004C,00000000), ref: 00404A4E
                                                    Strings
                                                    • KeepAlive | Enabled | Timeout: , xrefs: 004049E5
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LocalTime
                                                    • String ID: KeepAlive | Enabled | Timeout:
                                                    • API String ID: 481472006-1507639952
                                                    • Opcode ID: 9629856601c2ade6b9171a8da2872b59cbc4edb5dc9735de265d34bbd197e3ce
                                                    • Instruction ID: 8fc2066b5dd234cef981570443e677007340a491061b3c72667858eadfbc0999
                                                    • Opcode Fuzzy Hash: 9629856601c2ade6b9171a8da2872b59cbc4edb5dc9735de265d34bbd197e3ce
                                                    • Instruction Fuzzy Hash: EF2129A1A042806BC310FB6A980676B7B9457D1315F48417EF948532E2EB3C5999CB9F
                                                    Function 004336FC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID:
                                                    • String ID: LG$XG
                                                    • API String ID: 0-1482930923
                                                    • Opcode ID: c15126115d7b74b818ce8cc4bfc83f894c4a74ec01747284a75d25f55942686d
                                                    • Instruction ID: 7c4b062fcb32332b9137c766d59a1203f687c3695f5e31fbe0a477c862ff6f2a
                                                    • Opcode Fuzzy Hash: c15126115d7b74b818ce8cc4bfc83f894c4a74ec01747284a75d25f55942686d
                                                    • Instruction Fuzzy Hash: 07110AB5D01714AACF20DFA998017CFB7A55F05725F14D16BEC18EB281D378EB408798
                                                    Function 0041A696 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LocalTime
                                                    • String ID: | $%02i:%02i:%02i:%03i
                                                    • API String ID: 481472006-2430845779
                                                    • Opcode ID: 7c541b1fe11d74047bf4de15ff6413637149af1765b06644cf8be9994c192f8f
                                                    • Instruction ID: f196d4ed1927782274832919bda13c77b2b6189c6c06a517aeeeb96a95a688aa
                                                    • Opcode Fuzzy Hash: 7c541b1fe11d74047bf4de15ff6413637149af1765b06644cf8be9994c192f8f
                                                    • Instruction Fuzzy Hash: 81114C725082045AC704EBA5D8568AF73E8EB94708F10053FFC85931E1EF38DA84C69E
                                                    Function 004125EE Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412612
                                                    • RegQueryValueExW.ADVAPI32(?,?,00000000,?,00000000,?), ref: 00412648
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: QueryValue
                                                    • String ID: TUF
                                                    • API String ID: 3660427363-3431404234
                                                    • Opcode ID: ea05bdfc88d730103140c1813835b768b0c4990d0bb52d9cb4e5ffcfc942b32d
                                                    • Instruction ID: c735b93b908d9d71aa6a4d05a3740b5a2597980304af3aa5722c76a25f50973a
                                                    • Opcode Fuzzy Hash: ea05bdfc88d730103140c1813835b768b0c4990d0bb52d9cb4e5ffcfc942b32d
                                                    • Instruction Fuzzy Hash: B201A2B6A00108BFEB04EB95DD46EFFBABDEF44240F10007AF901E2251E6B4AF009664
                                                    Function 00419E99 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • PathFileExistsW.SHLWAPI(00000000), ref: 00419EBE
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ExistsFilePath
                                                    • String ID: TUF$alarm.wav
                                                    • API String ID: 1174141254-147985980
                                                    • Opcode ID: bb35db19ecf725e66f50cc2985e16286bdf7f8f1df2ddcf995444714096ddcfa
                                                    • Instruction ID: dd13df65ec224498850e23f6f848d4e774319f78d5db457f3497a795ed38963e
                                                    • Opcode Fuzzy Hash: bb35db19ecf725e66f50cc2985e16286bdf7f8f1df2ddcf995444714096ddcfa
                                                    • Instruction Fuzzy Hash: F301927060420166C604B676D866AEE77418BC1719F50413FF88A966E2EF7C9EC6C2CF
                                                    Function 0040A767 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 47COMMON
                                                    Download Yara Rule
                                                    APIs
                                                      • Part of subcall function 0040A876: GetLocalTime.KERNEL32(?,?,00000000), ref: 0040A884
                                                      • Part of subcall function 0040A876: wsprintfW.USER32 ref: 0040A905
                                                      • Part of subcall function 0041A696: GetLocalTime.KERNEL32(00000000), ref: 0041A6B0
                                                    • CloseHandle.KERNEL32(?), ref: 0040A7CA
                                                    • UnhookWindowsHookEx.USER32 ref: 0040A7DD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                                                    • String ID: Online Keylogger Stopped
                                                    • API String ID: 1623830855-1496645233
                                                    • Opcode ID: aa2cc70d391a599e14960110e5ba635763145c369873a0ecd25f92c1668795cb
                                                    • Instruction ID: 9ca866747e1af720c58b6b078daeda0145c7b5fd7bd766bf2ea1503866da158c
                                                    • Opcode Fuzzy Hash: aa2cc70d391a599e14960110e5ba635763145c369873a0ecd25f92c1668795cb
                                                    • Instruction Fuzzy Hash: 8101D431A043019BDB25BB35C80B7AEBBB19B45315F40407FE481275D2EB7999A6C3DB
                                                    Function 004016E8 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 45COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • waveInPrepareHeader.WINMM(0086FD78,00000020,?,?,00000000,00475B90,00473EE8,?,00000000,00401913), ref: 00401747
                                                    • waveInAddBuffer.WINMM(0086FD78,00000020,?,00000000,00401913), ref: 0040175D
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: wave$BufferHeaderPrepare
                                                    • String ID: T=G
                                                    • API String ID: 2315374483-379896819
                                                    • Opcode ID: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                    • Instruction ID: f8644d152c35c587af506687758c025c54344a6e575747702fe1289d7b8da532
                                                    • Opcode Fuzzy Hash: 0ff4070462d876ba9a0314f854ca9e5b2f4718fb39603aa566027c6b2d74496f
                                                    • Instruction Fuzzy Hash: 65018B71301300AFD7209F39EC45A69BBA9EB4931AF01413EB808D32B1EB34A8509B98
                                                    Function 004477A0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • IsValidLocale.KERNEL32(00000000,z=D,00000000,00000001,?,?,00443D7A,?,?,?,?,00000004), ref: 004477EC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: LocaleValid
                                                    • String ID: IsValidLocaleName$z=D
                                                    • API String ID: 1901932003-2791046955
                                                    • Opcode ID: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                    • Instruction ID: b87742f2873dd73c0a7d5aade023b210d3410e3306d67f57874115e62e910f2b
                                                    • Opcode Fuzzy Hash: 34048a5779238571e042b1bd9c847fb843bb8be3ea41a6d98ed8d0d1ded4c140
                                                    • Instruction Fuzzy Hash: 72F0E930A45318F7DA106B659C06F5E7B54CF05711F50807BFD046A283CE796D0285DC
                                                    Function 00401D91 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: H_prolog
                                                    • String ID: T=G$T=G
                                                    • API String ID: 3519838083-3732185208
                                                    • Opcode ID: 138b4589fff14f79146b4c81e53a501c98e6cc4b2bf129928705b8782f8e57ab
                                                    • Instruction ID: f0e76400c825ed045590d0aed9209fb7c3a86c2d0af9b05bbbbea7315d156e8c
                                                    • Opcode Fuzzy Hash: 138b4589fff14f79146b4c81e53a501c98e6cc4b2bf129928705b8782f8e57ab
                                                    • Instruction Fuzzy Hash: 77F0E971A00221ABC714BB65C80569EB774EF4136DF10827FB416B72E1CBBD5D04D65D
                                                    Function 0040AD56 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyState.USER32(00000011), ref: 0040AD5B
                                                      • Part of subcall function 00409B10: GetForegroundWindow.USER32(?,?,004740F8), ref: 00409B3F
                                                      • Part of subcall function 00409B10: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409B4B
                                                      • Part of subcall function 00409B10: GetKeyboardLayout.USER32(00000000), ref: 00409B52
                                                      • Part of subcall function 00409B10: GetKeyState.USER32(00000010), ref: 00409B5C
                                                      • Part of subcall function 00409B10: GetKeyboardState.USER32(?,?,004740F8), ref: 00409B67
                                                      • Part of subcall function 00409B10: ToUnicodeEx.USER32(0047414C,00000000,?,?,00000010,00000000,00000000), ref: 00409B8A
                                                      • Part of subcall function 00409B10: ToUnicodeEx.USER32(?,?,00000010,00000000,00000000), ref: 00409BE3
                                                      • Part of subcall function 00409D58: SetEvent.KERNEL32(?,?,?,0040AF3F,?,?,?,?,?,00000000), ref: 00409D84
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: State$KeyboardUnicodeWindow$EventForegroundLayoutProcessThread
                                                    • String ID: [AltL]$[AltR]
                                                    • API String ID: 2738857842-2658077756
                                                    • Opcode ID: 0fd097a0a4b99d70b02a08e9004214b89ee8ccd3163f9cf7526c1a47b2b50f16
                                                    • Instruction ID: d2c0c429c9fe13b3c6c970781ecfc4970ab7400740a1dec538c1fc9fef0a0b20
                                                    • Opcode Fuzzy Hash: 0fd097a0a4b99d70b02a08e9004214b89ee8ccd3163f9cf7526c1a47b2b50f16
                                                    • Instruction Fuzzy Hash: 47E0652134072117C898323EA91E6EE3A228F82B65B80416FF8866BAD6DD6D4D5053CB
                                                    Function 00448813 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 28COMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • _free.LIBCMT ref: 00448835
                                                      • Part of subcall function 00446AD5: RtlFreeHeap.NTDLL(00000000,00000000,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A), ref: 00446AEB
                                                      • Part of subcall function 00446AD5: GetLastError.KERNEL32(0000000A,?,0044FA60,0000000A,00000000,0000000A,00000000,?,0044FD04,0000000A,00000007,0000000A,?,00450215,0000000A,0000000A), ref: 00446AFD
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ErrorFreeHeapLast_free
                                                    • String ID: `@$`@
                                                    • API String ID: 1353095263-20545824
                                                    • Opcode ID: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                    • Instruction ID: fd413ccac38a9f67c3de8d393d9e933a11814297f80871467d1a397382efd299
                                                    • Opcode Fuzzy Hash: 9a963da6b0d453c70d37714207bd95daf40472698ea915a46c6a843fe12f4396
                                                    • Instruction Fuzzy Hash: 4DE06D371006059F8720DE6DD400A86B7E5EF95720720852AE89DE3710D731E812CB40
                                                    Function 0040ADB0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • GetKeyState.USER32(00000012), ref: 0040ADB5
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: State
                                                    • String ID: [CtrlL]$[CtrlR]
                                                    • API String ID: 1649606143-2446555240
                                                    • Opcode ID: 8f256fbae12a6d1972e20e0d193ff0540306bf2bf736503aba8af0ee0077a29a
                                                    • Instruction ID: 615b7dbe40c0b8188db9493e0f2b19f017fb36a74fa458c508a435569d7d4a1e
                                                    • Opcode Fuzzy Hash: 8f256fbae12a6d1972e20e0d193ff0540306bf2bf736503aba8af0ee0077a29a
                                                    • Instruction Fuzzy Hash: 71E0862170071117C514353DD61A67F39228F41776F80013FF882ABAC6E96D8D6023CB
                                                    Function 0041297A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040BFB2,00000000,004742E0,004742F8,?,pth_unenc), ref: 00412988
                                                    • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412998
                                                    Strings
                                                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412986
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DeleteOpenValue
                                                    • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                                                    • API String ID: 2654517830-1051519024
                                                    • Opcode ID: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                    • Instruction ID: 4813e9247c8a4fa7715124fbb4df20ddc3d96ddce1d5e270e7c0f337b45b5704
                                                    • Opcode Fuzzy Hash: 37dabd9028f0cede140cc98497e4e15f557d68d096268be44a89a64eb946223e
                                                    • Instruction Fuzzy Hash: 0AE01270310304BFEF104F61ED06FDB37ACBB80B89F004165F505E5191E2B5DD54A658
                                                    Function 0040AF77 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22fileCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • DeleteFileW.KERNEL32(00000000,?,pth_unenc), ref: 0040AF84
                                                    • RemoveDirectoryW.KERNEL32(00000000,?,pth_unenc), ref: 0040AFAF
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: DeleteDirectoryFileRemove
                                                    • String ID: pth_unenc
                                                    • API String ID: 3325800564-4028850238
                                                    • Opcode ID: 2e8d6704218f96b318e7a73bad0b28a6b8edcd2455483e95ffe0dafda84626ef
                                                    • Instruction ID: b68931c7331ddc333ece9e06749e281aefc344294653c9eba2f2de372e339d66
                                                    • Opcode Fuzzy Hash: 2e8d6704218f96b318e7a73bad0b28a6b8edcd2455483e95ffe0dafda84626ef
                                                    • Instruction Fuzzy Hash: FEE046715112108BC610AB31EC44AEBB398AB05316F00487FF8D3A36A1DE38A988CA98
                                                    Function 00411699 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                                                    Download Yara Rule
                                                    APIs
                                                    • TerminateProcess.KERNEL32(00000000,pth_unenc,0040E670), ref: 004116A9
                                                    • WaitForSingleObject.KERNEL32(000000FF), ref: 004116BC
                                                    Strings
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ObjectProcessSingleTerminateWait
                                                    • String ID: pth_unenc
                                                    • API String ID: 1872346434-4028850238
                                                    • Opcode ID: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                    • Instruction ID: 4302d9c34f7b4dbdac7fc8682473a51625df35810590c52ad239c14707b44b4b
                                                    • Opcode Fuzzy Hash: 0bcc8583bbfeaf574487765c88b71504591df5916e82e2463f0204abfb9b1fb3
                                                    • Instruction Fuzzy Hash: C1D0C938559211AFD7614B68BC08B453B6AA745222F108277F828413F1C72598A4AE1C
                                                    Function 0043FA6E Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                                                    Download Yara Rule
                                                    APIs
                                                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401AD8), ref: 0043FB04
                                                    • GetLastError.KERNEL32 ref: 0043FB12
                                                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043FB6D
                                                    Memory Dump Source
                                                    • Source File: 00000000.00000002.4472944937.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                    • Associated: 00000000.00000002.4472931953.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4472977858.0000000000457000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000470000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473037309.0000000000473000.00000004.00000001.01000000.00000003.sdmpDownload File
                                                    • Associated: 00000000.00000002.4473064592.0000000000476000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                    Joe Sandbox IDA Plugin
                                                    • Snapshot File: hcaresult_0_2_400000_17363482249a873460757a9239193679567953c11d17b898ff9845034e34f5d2e7f452.jbxd
                                                    Yara matches
                                                    Similarity
                                                    • API ID: ByteCharMultiWide$ErrorLast
                                                    • String ID:
                                                    • API String ID: 1717984340-0
                                                    • Opcode ID: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                                    • Instruction ID: 94dc36b571f96c0084dd62d2177e44ea0606df48237064e9d41db09688609199
                                                    • Opcode Fuzzy Hash: a3a9a9c7793c2081db5377885f607edf127f94d6c053b0090e31d102b176707d
                                                    • Instruction Fuzzy Hash: 66413870E00206AFCF219F64C854A6BF7A9EF09320F1451BBF8585B2A1E738AC09C759